16-19  JUNE  2001 


BOSTON,  MASSACHUSETTS 


IEEE  Sponsored  by  IEEE  Computer  Society  Technical  Committee  on  Mathematical  Foundations  of  Computing 

Computer 

SOCIETY  distribution  STATEMENT  A 

Approved  for  Public  Release 
Distribution  Unlimited 


REPORT  DOCUMENTATION  PAGE 

Form  Approved 

0MB  NO.  0704-0188 

Public  Reporting  burden  for  this  collection  of  infonnation  is  estimated  to  average  1  hour  per  response,  including  the  tune  for  reviewing  instructions,  searching  existing  data  sources,  gat  enng 
and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comment  regarding  this  burden  estimates  or  any  other  7=;* 

information,  including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  inforirotion  Operations  md  Reports,  1215  Jefferson  Davis  Highway,  Smte 
nn/i  Arimrt+nn  VA  anH  tn  thft  Office  oFManagement  and  Budget.  Paperwork  Reduction  Project  (0704-0188,)  Washington,  DC  2U5UJ_. - - - - 

1 .  AGENCY  USE  ONLY  (  Leave  Blank)  2.  REPORT  DATE 

March  31 ,  2001 

3 .  REPORT  TYPE  AND  DATES  COVERED 

Final 

4.  TITLE  AND  SUBTITLE 

2001  IEEE  Conference  on  Logic  and 

Computer  Science  (LICS  2001 ) 

5.  FUNDING  NUMBERS 

N0001 4-01 -1-0568 

6.  AUTHOR(S) 

Joseph  Halpern  (Editor) 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

IEEE  LICS 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING  /  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

Dr.  Ralph  Wachter 

ONR 

6  Ballston  Tower  One 

800  North  Quincy  Street 

■n -.1  J  trA  DODI"? 

10.  SPONSORING /MONITORING 

AGENCY  REPORT  NUMBER 

11.  supplementary  NtTE'S 

12  a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited. 

12  b.  DISTRIBUTION  CODE 

The  Lies  Symposium  is  an  annual  international  forum  on  theoretical  and 
practical  topics  in  computer  science  that  relate  to  logic  in  a  broad 
sense.  Topics  of  interest  include:  automata  theory,  category  theory, 
concurrency,  constraint  programming,  database  theory,  domain  theory, 
finite  model  theory ,  formal  methods,  hybrid  systems,  language  calculi, 
linear  logic,  complexity,  artificial  intelligence,  logic  programming, 
modal  and  temporal  logics,  model  checking,  semantics,  security, 
rewriting,  specifications,  type  theory,  and  verification. 


14.  SUBJECT  TERMS 

Logic,  Computer  Science, automata, language  calculi, 
concurrency,  formal  methods,  model  checking, 
security,  specifications,  verification 


15.  NUMBER  OF  PAGES 

441 


16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION 
OR  REPORT 

UNCLASSIFIED  _ 


18.  SECURITY  CLASSIFICATION 
ON  THIS  PAGE 

UNCLASSIFIED _ 


19.  SECURITY  CLASSIFICATION 
OF  ABSTRACT 

UNCLASSIFIED 


20.  LIMITATION  OF  ABSTRACT 


UL 


NSN  7540-01-280-5500 

89) 


Standard  Form  298  (Rev.2- 

Prescribed  by 
298-102 


ANSI  Std.  239-18 


The  Report  Documentation  Page  (RDP)  is  used  for  announcing  and  cataloging  reports  It  is  important 
that  this  information  be  consistent  with  the  rest  of  the  report,  particularly  the  cover  and 
Instructions  for  filling  in  each  block  of  the  form  follow.  It  is  important  to  stay  withm  the  lines  to  meet 

optical  scanning  requirements. _ _ _ _ _ _ — - 


Block  1.  Agency  Use  Only  (Leave  blank) 

Block  2.  Report  Date.  Full  publication  date 
including  day,  month,  and  year,  if  available  (e.g. 

1  Jan  88).  Must  cite  at  least  year. 

Block  3.  Type  of  Report  and  Dates  Covered. 

State  whether  report  is  interim,  final,  etc.  If 
applicable  enter  inclusive  report  dates  (e.g. 

10  Jun  87-  30Jun  88). 

Block  4.  Title  and  Subtitle.  A  title  is  taken  from  the  part  of  the 
report  that  provides  the  most  meaningful  and  complete  information. 
When  a  report  is  prepared  in  more  than  one  volume,  repeat  the 
primary  title,  and  volume  number,  and  include  subtitle  for  the 
specific  volume.  On  classified  documents  enter  the  title 
classification  in  parentheses. 

Block  5.  Funding  Numbers.  To  include  contract  and  grant 
numbers;  may  include  program  element  number(s)  project 
number(s),  task  number(s),  and  work  unit  number(s).  Use  the 
following  labels: 


C  -  Contract 
G  -  Grant 
PE  -  Program 
Element 


PR  -  Project 
TA-  Task 
WU  -  Work  Unit 

Accession  No. 


Block  6.  Authorfst.  Name(s)  of  person(s)  responsible  for  writing 
the  report,  performing  the  research,  or  credited  with  the  content  of 
the  report.  If  editor  or  compiler,  this  should  follow 
the  name(s). 

Block?.  Performing  Organization  Name(s)  and 
Addressfes).  Self-explanatory. 


Block  8.  Performing  Organization  Report 

Number.  Enter  the  unique  alphanumeric  report  number(s) 

assigned  by  the  organization  performing  the  report. 

Blocks.  Snonsoring/Monitoring  Agency  Name(s) 
and  Address(es)  Self-explanatory. 


Block  10.  Soon 
Report  Number. 


{if  known) 


Block  11.  Supplementary  Notes,  Enter 
information  not  included  elsewhere  such  as;  prepared  in 
cooperation  with....;  Trans,  of..;  To  be  published  in.  ..  When  a 
report  is  revised,  include  a  statement  whether  the  new  report 
supersedes  or  supplements  the  older  report. 


Rinrk  ^7a  nistribution/Availabilitv  Statement. 

Denotes  public  availability  or  limitations.  Cite  any  availability 
to  the  public.  Enter  additional  limitations  or  special  markings 
in  all  capitals  (e  g.  NORFORN,  REL,  ITAR). 

DOD  -  See  DoDD  4230.25,  "Distribution 
Statements  on  Technical 
Documents.” 

DOE  -  See  authorities. 

NASA  -  See  Handbook  NHB  2200.2. 

NTIS  -  Leave  blank. 


Block  12b.  Distribution  Code. 


NASA 

NTIS 


Leave  Blank 

Enter  DOE  distribution  categories 
from  the  Standard  Distribution  for 
unclassified  Scientific  and  Technical 
Reports 
Leave  Blank. 

Leave  Blank. 


Block  13.  Abstract.  Include  a  brief  {Maximum 
200  words)  factual  summary  of  the  most 
significant  information  contained  in  the  report. 

Block  14.  .Subject  Terms.  Keywords  or  phrases 
identifying  major  subject  in  the  report. 

Block  15.  Number  of  Pages.  Enter  the  total 
number  of  pages. 

Block  16.  Price  Code.  Enter  appropriate  price 
code  (NTIS  only). 

Block  17.  -19.  Security  Classifications^  Self- 
explanatory.  Enter  U.S.  Security  Regulations  (i.e., 
UNCLASSIFIED),  if  form  contains  classified 
information,  stamp  classification  on  the  top  and 
bottom  of  the  page. 

Block  20.  Limitation  of  Abstract.  This  block  must 
be  completed  to  assign  a  limitation  to  the 
abstract.  Enter  either  UL  (Unlimited)  or  SAR  (same 
as  report).  An  entry  in  this  block  is  necessary  if 
the  abstract  is  to  be  limited.  If  blank,  the  abstract 
is  assumed  to  be  unlimited. 


Proceedings 

16th  Annual  IEEE  Symposium  on 

Logic  in  Computer  Science 


Proceedings 


16th  Annual  IEEE  Symposium  on 

Logic  in  Computer  Science 


16-19  June  2001  •  Boston,  Massachusetts 


Sponsored  by 

IEEE  Computer  Society  Technical  Committee  on 
Mathematical  Foundations  of  Computing 


Brussels 


Copyright  ©  2001  by  The  Institute  of  Electrical  and  Electronics  Engineers,  Inc. 

All  rights  reserved 


Copyright  and  Reprint  Permissions:  Abstracting  is  permitted  with  credit  to  the  source.  Libraries  may 
photocopy  beyond  the  limits  of  US  copyright  law,  for  private  use  of  patrons,  those  articles  in  this  volume 
that  carry  a  code  at  the  bottom  of  the  first  page,  provided  that  the  per-copy  fee  indicated  in  the  code  is  paid 
through  the  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  MA  01923. 

Other  copying,  reprint,  or  republication  requests  should  be  addressed  to:  IEEE  Copyrights  Manager,  IEEE 
Service  Center,  445  Hoes  Lane,  P.O.  Box  133,  Piscataway,  NJ  08855-1331. 

The  papers  in  this  book  comprise  the  proceedings  of  the  meeting  mentioned  on  the  cover  and  title  page. 
They  reflect  the  authors’  opinions  and,  in  the  interests  of  timely  dissemination,  are  published  as  presented 
and  without  change.  Their  inclusion  in  this  publication  does  not  necessarily  constitute  endorsement  by  the 
editors,  the  IEEE  Computer  Society,  or  the  Institute  of  Electrical  and  Electronics  Engineers,  Inc. 


IEEE  Computer  Society  Order  Number  PR01281 
ISBN0-7695-1281-X 
ISSN:  1043-6871 


IEEE  Computer  Society 
Customer  Service  Center 
10662  Los  Vaqueros  Circle 
P.O.  Box  3014 

Los  Alamitos,  CA  90720-1314 
Tel:+  1  714  821  8380 
Fax:  +  1  714  821  4641 
http://computer.org/ 
csbooks@computcr.org 


Additional  copies  may  be  ordered  from  : 

IEEE  Service  Center 
445  Hoes  Lane 
P.O.  Box  1331 
Piscataway,  NJ  08855-1331 
Tel:+  1  732  981  0060 
Fax:-!-  1  732  981  9667 
http://shop.ieee.org/storc/ 
customer-service®  iecc.org 


IEEE  Computer  Society 
Asia/Pacific  Office 
Watanabc  Bldg.,  1-4-2 
Minami-Aoyama 
Minato-ku,  Tokyo  107-0062 
JAPAN 

Tel:  -(-81  3  3408  3118 
Fax: -H  81  3  3408  3553 
tokyo.ofc@computcr.org 


Editorial  production  by  A.  Denise  Williams 
Cover  graphic  design  by  Alvy  Ray  Smith 
Cover  art  production  by  Joseph  Daigle/Studio  Productions 
Printed  in  the  United  States  of  America  by  The  Printing  House,  Inc. 


Computer 

SOCIETY 


_ Table  of  Contents _ _ 

16"^  Annual  IEEE  Symposium  on  Logic  in  Computer  Science 


Foreword . x 

Conference  Organization . xi 

Additionai  Reviewers . xii 


Invited  Talk 

Chair:  Joseph  Y.  Halpern 

Probabilistic  Polynomial-Time  Precess  Calculus  and  Security  Protocol  Analysis . 3 

J.  Mitchell,  A.  Ramanathan,  A.  Scedrov,  and  V.  Teague 

Session  1 

Chair:  Jean-Pierre  Jouannaud 

Definitions  by  Rewriting  in  the  Calculus  of  Constructions . 9 

F.  Blanqui 

Deconstructing  Shostak . 19 

H.  RueP  and  N.  Shankar 

A  Decision  Procedure  for  an  Extensional  Theory  of  Arrays . 29 

A.  Stump,  C.  Barrett,  D.  Dill,  and  J.  Levitt 

On  Ordering  Constraints  for  Deduction  with  Built-In  Abelian  Semigroups, 

Monoids  and  Groups . 38 

G.  Godoy  and  R.  Nieuwenhuis 

Invited  Talk 

Chair:  Jean-Pierre  Jouannaud 

Successive  Approximation  of  Abstract  Transition  Relations . 51 

S.  Das  and  D.  Dill 

Session  2 

Chair:  Pawel  Urzyczyn 

A  Bound  on  Attacks  on  Payment  Protocols . 61 

S.  Stoller 

A  Dichotomy  in  the  Complexity  of  Propositional  Circumscription . 7 1 

L.  Kirousis  and  P.  Kolaitis 

Relating  Semantic  and  Proof-Theoretic  Concepts  for  Polynomial  Time 

Decidability  of  Uniform  Word  Problems . 81 

H.  Ganzinger 


V 


Session  3 

Chair:  Radha  Jaghadeesan 

Semantics  of  Name  and  Value  Passing . 93 

M.  Fiore  and  D.  Turi 

A  Fully  Abstract  Game  Semantics  of  Local  Exceptions . 105 

J.  Laird 

A  Universal  Characterization  of  the  Closed  Euclidean  Interval . 115 

M.  Escardo  and  A.  Simpson 

Invited  Talk 

Chair:  Gordon  Plotkin 


Logician  in  the  Land  of  OS:  Abstract  State  Machines  in  Microsoft . 129 

Y.  Gurevich 

Session  4 

Chair:  Michel  de  Rougemont 


Eliminating  Definitions  and  Skolem  Functions  in  First-Order  Logic . 139 

J.  Avigad 

On  the  Decision  Problem  for  the  Guarded  Fragment  with  Transitivity . 147 

W.  Szwast  and  L.  Tendera 

The  Hierarchy  inside  Closed  Monadic  I|  Collapses  on  the  Infinite 

Binary  Tree . 157 

A.  Arnold,  G.  Lenzi,  and  J.  Marcinkowski 

On  Definability  of  Order  in  Logic  with  Choice . 167 


T.  Huuskonen  and  T.  Hyttinen 

Invited  Talk 

Chair:  Erich  Graedel 

The  Engineering  Challenge  for  Logic 
Wolfgang  Thomas 

Session  5 

Chair:  Erich  Graedel 


A  Second-Order  System  for  Polytime  Reasoning  Using  Graedel’s  Theorem .  177 

S.  Cook  and  A.  Kolokolova 

The  Crane  Beach  Conjecture . 187 

D.  Barrington,  N.  Immerman,  C.  Lautemann, 

N.  Schweikardt,  and  D.  Therien 

An  n!  Lower  Bound  on  Formula  Size . 197 

M.  Adler  and  N.  Immerman 


VI 


Session  6 


Chair:  Nevin  Heintze 

Light  Affine  Lambda  Calculus  and  Polytime  Strong  Normalization . .  209 

K.  Terui 

Intensionality,  Extensionality,  and  Proof  Irrelevance  in  Modal  Type  Theory . 221 

F.  Pfenning 

Dependent  Types  for  Program  Termination  Verification . 231 


H.Xi 

Short  Paper  Session 

Chair:  Joseph  Y.  Halpern 

The  Dolev-Yao  Intruder  is  the  Most  Powerful  Attacker 
7.  Cervesato 

Semantics  of  Machine  Instructions  at  Multiple  Levels  of  Abstraction 
G.  Tan  and  A.  Appel 

A  Proof-Carrying  Authorization  System 

L.  Bauer,  M.  Schneider,  and  E.  Felten 

Recursive  Programming  Languages  for  Complexity  Classes 
E.  Covino  and  G.  Pani 

Interior-Point  Approach  to  Parity  Games 
V.  Petersson  and  S.  Vorobyov 

Recent  Progress  in  Proof  Mining 
U.  Kohlenbach 

On  the  Complexity  of  Confluence  for  Ground  Rewrite  Systems 
A.  Hayrapetyan  and  R.  Verma 

Computing  the  Density  of  Regular  Languages 

M.  Bodirsky,  M.  Gaertner,  T.  von  Oertzen,  and  J.  Schwinghammer 

Integrating  Simplification  Techniques  in  SAT  Algorithms 
7.  Lynce  and  J.  Marques-Silva 

Basic  Completion  Modulo  with  Simplification 
C.  Lynch  and  C.  Scharff 

Finite  Visit  Sequential  Deterministic  Tree  Automata 
S.  Lindell 

Invited  Talk 

Chair:  Ron  van  der  Meyden 

Foundational  Proof-Cairying  Code . 

A.  Appel 


vii 


247 


Session  7 


Chair:  Parosh  Abdulla 

Intuitionistic  Linear  Logic  and  Partial  Correctness . 259 

D.  Kozen  and  J.  Tiiiryn 

Perturbed  Turing  Machines  and  Hybrid  Systems . 269 

E.  Asarin  and  A.  Bouajjani 

From  Verification  to  Control:  Dynamic  Programs  for  Omega-Regular  Objectives . 279 

L.  de  Alfaro,  T.  Henzinger,  and  R.  Majmndar 

Deterministic  Generators  and  Games  for  Ltl  Fragments . 291 

R.  Alur  and  S.  La  Torre 

Session  8 

Chair:  Adolfo  Piperno 

Normalization  by  Evaluation  for  Typed  Lambda  Calculus  with  Coproducts . 303 

T.  Altenkirch,  P.  Dybjer,  M.  Hofinann,  and  P.  Scott 

Strong  Normalisation  in  the  7U-Calculus . 311 

N.  Yoshida,  M.  Berger,  and  K.  Honda 

A  Symbolic  Labelled  Transition  System  for  Coinductive  Subtyping  of  Ffi< 

Types . 323 

A.  Jeffrey 

A  Continuum  of  Theories  of  Lambda  Calculus  without  Semantics . 334 

A.  Salibra 

Session  9 

Chair:  Hubert  Comon 

Relating  Levels  of  the  Mu-Calculus  Hierarchy  and  Levels  of  the  Monadic 

Hierarchy . 347 

D.  Janin  and  G.  Lenzi 

Focus  Games  for  Satisfiability  and  Completeness  of  Temporal  Logic . 357 

M.  Lange  and  C.  Stirling 

Safety  and  Liveness  in  Branching  Time . 366 

P.  ManoUos  and  R.  Trefler 

Short  Papers 

Self-Verifying  Systems,  the  Incompleteness  Theorem  and  the  Tangibility 
Reflection  Principle 
D.  Willard 

Repairing  the  Interpolation  Theorem  in  First-Order  Modal  Logic 
C.  Areces,  P.  Blackburn,  and  M.  Marx 

A  Game  involving  Epistemic  Logic  and  Probability 
A.  Pogel,  G.  Voutsadakis,  and  M.  Gehrke 

A  Theory  of  Advanced  Transactions  in  the  Situation  Calculus 
/.  Kiringa 


viii 


Invited  Talk 


Chair:  Michel  de  Rougemont 

Semistructured  Data:  From  Practice  to  Theory . 379 

5.  Abiteboul 

Session  10 

Chair:  Ranee  Cleaveland 

Synthesizing  Distributed  Systems . 389 

O.  Kupferman  and  M.  Vardi 

Permutation  Rewriting  and  Algorithmic  Verification . 399 

A.  Bouajjani,  A.  Muscholl,  and  T.  Touili 

Temporal  Logic  Query  Checking . 409 

G.  Bruns  and  P.  Godefroid 

Session  11 

Chair:  Ron  van  der  Meyden 

Typechecking  XML  Views  of  Relational  Databases . 421 

N.  Alon,  T.  Milo,  F.  Neven,  D.  Suciu,  and  V.  Vianu 

A  Model-Theoretic  Approach  to  Regular  String  Relations . 431 

M.  Benedikt,  L  Libkin,  T.  Schwentick,  and  L  Segoufm 

Author  Index . 441 


IX 


Foreword 


It’s  hard  to  believe  that  this  is  already  the  16th  LICS.  It  doesn’t  seem  all  that  long  (at  least  to 
me!)  since  the  conference  started.  The  program  chair  of  the  first  LICS  was  Albert  Meyer.  This 
year,  one  of  the  workshops  associated  with  LICS  is  the  Symposium  on  Complexity,  Logic,  and 
Computation,  in  honor  of  Albert. 

From  the  104  submissions  received,  the  Program  Committee  selected  thirty-six  papers.  Many 
worthy  abstracts  had  to  be  rejected  due  to  the  time  constraints  of  the  conference.  These  papers 
are  preliminary  reports  of  ongoing  research.  Most  will  appear  in  more  polished  and  complete 
form  in  scientific  journals.  There  are  also  six  invited  talks  that  are  represented  in  the 
proceedings.  Finally,  the  titles  of  fifteen  short  talks  are  listed.  These  are  mainly  announcements: 
in  some  cases,  full  papers  are  available  from  the  authors;  in  other  cases,  the  research  is  so 
preliminary  that  there  is  no  paper  yet. 

Many  people  put  in  a  great  deal  of  time  and  effort  into  selecting  the  program.  First  and 
foremost,  there  was  the  Program  Committee.  These  days,  program  committee  meetings  are 
virtual;  they  are  conducted  asynchronously  by  email.  That  means  that  “meetings”  take  place  over 
a  lO-day  period.  Program  committee  members  had  to  read  email  at  all  times  of  the  day  just  to 
keep  up.  Fortunately  for  me,  this  was  a  very  active  program  committee,  and  they  seemed  to  be 
willing  to  do  that.  Even  better,  we  were  able  to  converge  to  a  program  that  we  were  all 
comfortable  with  in  a  remarkably  smooth  manner.  This  year  we  put  a  special  emphasis  on  having 
papers  where  the  relevance  to  computer  science  was  clear  and  which  would  be  accessible  to 
nonexperts.  These  proceedings  should  attest  to  how  well  we  succeeded. 

Another  one  of  our  tasks  was  to  choose  the  best  student  paper(s)  for  the  Kleene  award.  This 
year  there  are  two  winners:  Frederic  Blanqui  for  “Definitions  by  Rewriting  in  the  Calculus  of 
Constructions,”  and  Kazushige  Terui  for  “Light  Affine  Lambda  Caleulus  and  Polytime  Strong 
Normalization.”  I’d  like  to  congratulate  them  both. 

The  people  involved  with  the  conference  organization,  the  program  committee,  and  the 
(many!)  outside  reviewers  used  by  the  program  committee  members  are  all  listed  on  the 
following  pages.  I’d  like  to  thank  them  all;  the  conference  could  not  have  happened  without  their 
efforts.  I’d  like  to  add  a  special  note  of  thanks  to  someone  whose  name  is  not  listed  so 
prominently:  Jon  Riecke.  Jon  kept  up  the  submissions  software,  housed  at  Lueent,  even  after  he 
left  Lucent  for  a  startup. 

I  hope  you  will  find  that  the  contents  of  these  Proceedings  were  worth  the  effort  required  to 
create  them. 

Joe  Halpern 

LICS  2001  Program  Chair 
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Probabilistic  polynomial-time  process  calculus 
and  security  protocol  analysis 
(short  summary) 
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Abstract 

We  describe  properties  of  a  process  calculus  that  has 
been  developed  for  the  purpose  of  analyzing  security  proto¬ 
cols.  The  process  calculus  is  a  restricted  form  ofn-calculus, 
with  bounded  replication  and  probabilistic  polynomial-time 
expressions  allowed  in  messages  and  boolean  tests.  To 
avoid  problems  expressing  security  in  the  presence  of  non¬ 
determinism,  messages  are  scheduled  probabilistically  in¬ 
stead  of  nondeterministically.  We  prove  that  evaluation  may 
be  completed  in  probabilistic  polynomial  time  and  develop 
properties  of  a  form  of  asymptotic  protocol  equivalence  that 
allows  security  to  be  speciied  using  observational  equiva¬ 
lence,  a  standard  relation  from  programming  language  the¬ 
ory  that  involves  quantifying  over  possible  environments 
that  might  interact  with  the  protocol.  We  also  relate  pro¬ 
cess  equivalence  to  cryptographic  concepts  such  as  pseudo¬ 
random  number  generators  and  polynomial-time  statistical 
tests. 


1  Introduction 

A  variety  of  methods  are  used  for  analyzing  and  reason¬ 
ing  about  security  protocols.  The  main  systematic  or  formal 
approaches  include  specialized  logics  such  as  BAN  logic 
[BAN89,  DMPOl],  special-purpose  tools  designed  for  cryp¬ 
tographic  protocol  analysis  [KMM94],  and  theorem  prov¬ 
ing  [Pau97b,  Pau97a]  and  model-checking  methods  using 
general  purpose  tools  [Low96,  Mea96,  MMS97,  Ros95, 
Sch96].  Although  these  approaches  differ  in  signifcant 
ways,  all  rectect  the  same  basic  assumptions  about  the  way 
an  adversary  may  interact  with  the  protocol  or  attempt  to  de¬ 
crypt  encrypted  messages  .  In  the  common  model,  largely 

‘Partially  supported  by  DoD  MURI  “Semantic  Consistency  in  Infor¬ 
mation  Exchange,”  ONR  Grant  NOOO 14-97- 1-0505,  and  DARPA  Contract 
N66001-00-C-8015 

t  Additional  support  from  NSF  Grant  CCR-9629754. 

t  Additional  support  from  NSF  Grant  CCR-9800785. 


derived  from  [DY81]  and  suggestions  found  in  [NS78]  (see, 
e.g.,  [CDL+99]),  a  protocol  adversary  is  allowed  to  non¬ 
deterministically  choose  among  possible  actions.  This  is 
a  convenient  idealization,  intended  to  give  the  adversary  a 
chance  to  £nd  an  attack  if  there  is  one.  In  the  presence 
of  nondeterminism,  however,  the  set  of  messages  an  adver¬ 
sary  may  use  to  interfere  with  a  protocol  must  be  restricted 
severely.  For  example,  if  the  adversary  may  perform  bit 
manipulation  on  data,  then  a  nondeterministic  adversary 
may  guess  any  possible  secret  key.  Therefore,  the  com¬ 
mon  “Dolev-Yao  assumptions”  only  allow  an  adversary  to 
construct  new  messages  from  indivisible  data  that  are  either 
known  from  the  start  or  found  in  messages  overheard  on  the 
network.  Although  the  Dolev-Yao  assumptions  make  proto¬ 
col  analysis  tractable,  they  also  make  it  possible  to  “verify” 
protocols  that  are  in  fact  susceptible  to  simple  attacks  that 
lie  outside  the  adversary  model.  Another  limitation  is  that  a 
deterministic  or  nondeterministic  setting  does  not  allow  us 
to  analyze  probabilistic  protocols. 

This  invited  talk  will  describe  some  general  concepts 
in  security  protocol  analysis,  mention  some  of  the  com¬ 
peting  approaches,  and  describe  some  technical  properties 
of  a  process  calculus  that  was  proposed  earlier  [LMMS98, 
LMMS99]  as  the  basis  for  a  form  of  protocol  analysis  that 
is  formal,  yet  closer  in  foundations  to  the  mathematical 
setting  of  modern  cryptography.  The  framework  relies  on 
a  language  for  defning  probabilitic  polynomial-time  func¬ 
tions  [MMS98].  The  reason  we  restrict  processes  to  proba¬ 
bilistic  polynomial  time  is  so  that  we  can  reason  about  the 
security  of  protocols  by  quantifying  over  all  “adversarial” 
processes  defnable  in  the  language.  In  effect,  establish¬ 
ing  a  bound  on  the  running  time  of  an  adversary  allows  us 
to  relax  other  simplifying  assumptions.  Speci£cally,  it  is 
possible  to  consider  adversaries  that  might  send  randomly 
chosen  messages,  or  perform  sophisticated  (yet  probabilis¬ 
tic  polynomial-time)  computation  to  derive  an  attack  from 
messages  it  overhears  on  the  network.  A  useful  aspect  of 
our  framework  is  that  we  can  analyze  probabilistic  as  well 
as  deterministic  encryption  functions  and  protocols.  With- 
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out  a  probabilistic  framework,  it  would  not  be  possible  to 
analyze  an  encryption  function  such  as  EIGamal  [EIG85], 
for  which  a  single  plaintext  may  have  more  than  one  ci¬ 
phertext. 

The  work  has  been  carried  out  in  collaboration  with  P. 
Lincoln,  M.  Mitchell,  A.  Scedrov,  A.  Ramanathan,  and  V. 
Teague.  The  main  ideas  are  outlined  in  [LMMS98],  with 
the  term  language  presented  in  [MMS98]  and  further  ex¬ 
ample  protocols  considered  in  [LMMS99].  The  closest 
technical  precursor  is  the  Abadi  and  Gordon  spi-calculus 
[AG99,  AG98]  which  uses  observational  equivalence  and 
channel  abstraction  but  docs  not  involve  probability  or  com¬ 
putational  complexity  bounds;  subsequent  related  work  is 
cited  in  [AFOl],  for  example.  Prior  work  on  CSP  and  secu¬ 
rity  protocols,  e.g.,  [Ro.s95,  Sch96],  also  uses  process  cal¬ 
culus  and  security  spccifcations  in  the  form  of  equivalence 
or  related  approximation  orderings  on  processes. 

Although  our  main  long-term  objective  is  to  base  pro¬ 
tocol  analysis  on  standard  cryptographic  assumptions,  this 
framework  may  also  shed  new  light  on  basic  questions  in 
cryptography.  In  particular,  the  characterization  of  “se¬ 
cure”  encryption  function,  for  use  in  protocols,  does  not  ap¬ 
pear  to  have  been  completely  settled.  While  the  dc£nition 
of  semantic  security  in  [GM84]  appears  to  have  been  ac¬ 
cepted,  there  are  stronger  notions  such  as  non-malleahility 
[DDN91]  that  arc  more  appropriate  to  protocol  analysis.  In 
a  sense,  the  difference  is  that  semantic  security  is  natural 
for  the  single  transmission  of  an  encrypted  message,  while 
non-malleability  accounts  for  vulnerabilities  that  may  arise 
in  more  complex  protocols.  Our  framework  provides  a  set¬ 
ting  for  working  backwards  from  security  properties  of  a 
protocol  to  derive  necessary  properties  of  underlying  en¬ 
cryption  primitives.  While  we  freely  admit  that  much  more 
needs  to  be  done  to  produce  a  systematic  analysis  method, 
we  believe  that  a  foundational  setting  for  protocol  analysis 
that  incorporates  probability  and  complexity  restrictions  has 
much  to  offer  in  the  future. 

Slides  from  this  talk  will  be  available  on  the  £rst  author’s 
web  site  at  http://www.stanford.edurjcm. 

Acknowledgements:  Thanks  to  M.  Abadi,  D.  Bonch, 
R.  Canetti,  C.  Dwork,  R.  van  Glabbeek,  A.  Jeffrey,  S.  Kan- 
nan,  B.  Kapron,  R  Lincoln,  R.  Milner,  M.  Mitchell, 
M.  Naor,  and  R  Ranangadcn  for  helpful  discussions  and  ad¬ 
vice  on  relevant  literature. 

References 

[AFOl]  M.  Abadi  and  C.  Fournet.  Mobile  values,  new 
names,  and  secure  communication.  In  28th 
ACM  Symposium  on  Principles  of  Program¬ 
ming  Languages,  pages  104-1 15,  2001 . 


[AG97]  M.  Abadi  and  A.  Gordon.  A  calculus  for  cryp¬ 
tographic  protocols:  the  spi  calculus.  In  Proc. 
4-th  ACM  Conference  on  Computer  and  Com¬ 
munications  Security,  pages  36-47,  1997.  Re¬ 
vised  and  expanded  versions  in  Information 
and  Computation  148(1 999):  1-70  and  as  SRC 
Research  Report  149  (January  1998). 

[AG98]  M.  Abadi  and  A.  Gordon.  A  bisimulation 
method  for  cryptographic  protocol.  In  Proc. 
ESOP'98,  Springer  Lecture  Notes  in  Computer 
Science,  1998, 

[AG99]  M.  Abadi  and  A.  Gordon.  A  calculus  for  cryp¬ 
tographic  protocols:  the  spi  calculus.  Informa¬ 
tion  and  Computation,  143:1-70,  1999.  Ex¬ 
panded  version  available  as  SRC  Research  Re¬ 
port  149  (January  1998). 

[AROO]  M.  Abadi  and  R.  Rogaway.  Reconciling  two 
views  of  cryptography  (The  computational 
soundness  of  formal  encryption).  In  IFIP  In¬ 
ternational  Conference  on  Theoretical  Com¬ 
puter  Science,  Sendai,  Japan,  2000.  Full  paper 
to  appear  in  J.  of  Cryptology. 

[BAN89]  M.  Burrows,  M.  Abadi,  and  R.  Needham.  A 
logic  of  authentication.  Proceedings  of  the 
Royal  Society.  Series  /I,  426(1 87 1):233-271, 
1989.  Also  appeared  as  SRC  Research  Report 
39  and.  in  a  shortened  form,  in  ACM  Trans¬ 
actions  on  Computer  Systems  8,  1  (February 
1990),  18-36. 

[CanOO]  R.  Canetti.  A  uni£ed  framework  for  an¬ 
alyzing  security  of  protocols.  Cryptol¬ 
ogy  eRrint  Archive:  Report  2000/067;  sec 
http://eprint,iacr.org/2000/067/,  2000, 

[CDL+99]  I.  Cervesato,  N.A.  Durgin,  R.D.  Lincoln,  J.C. 

Mitchell,  and  A.  Scedrov.  A  meta-notation  for 
protocol  analysis.  In  1 2-th  IEEE  Computer  Se¬ 
curity  Foundations  Workshop.  IEEE  Computer 
Society  Rress,  1999. 

[DDN91]  D.  Dolcv,  C.  Dwork,  and  M.  Naor.  Non- 
malleable  cryptography  (extended  abstract).  In 
Proc.  23rd  Annual  ACM  Symposium  on  the 
Theory  of  Computing,  pages  542-552,  1991, 

[DMROl]  N.A.  Durgin,  J.C.  Mitchell,  and  D.  Ravlovic. 

A  compositional  logic  for  protocol  correctness. 
In  IEEE  Computer  Security  Foundations  Work¬ 
shop,  page  (to  appear),  200 1 . 

[DY8I]  D.  Dolev  and  A.  Yao.  On  the  security  of 
public-key  protocols.  In  Proc.  22nd  Annual 


4 


[E1G85] 


[GM84] 

[KMM94] 

[LMMS98] 


[LMMS99] 


[Low96] 


[Lub96] 


[Mea96] 


[MMS97] 


[MMS98] 


IEEE  Symp.  Foundations  of  Computer  Science, 
pages  350-357,  1981. 

T.  ElGamal.  A  public-key  cryptosystem  and  a 
signature  scheme  based  on  discrete  logarithms. 
IEEE  Transactions  on  Information  Theory,  IT- 
31:469-^72,  1985. 

S.  Goldwasser  and  S.  Micali.  Probabilistic  en¬ 
cryption.  J.  Computer  and  System  Sciences, 
28:281-308,  1984. 

R.  Kemmerer,  C.  Meadows,  and  J.  Millen. 
Three  systems  for  cryptographic  protocol  anal¬ 
ysis.  J.  Cryptology,  7(2):79-130,  1994. 

P.D.  Lincoln,  M.  Mitchell,  J.C.  Mitchell,  and 
A.  Scedrov.  A  probabilistic  poly-time  frame¬ 
work  for  protocol  analysis.  In  M.K.  Reiter,  ed¬ 
itor,  Proc.  5-th  ACM  Conference  on  Computer 
and  Communications  Security,  pages  112- 
121,  San  Francisco,  California,  1998.  ACM 
Press. 

P.D.  Lincoln,  J.C.  Mitchell,  M.  Mitchell,  and 
A.  Scedrov.  Probabilistic  polynomial-time 
equivalence  and  security  protocols.  In  J.M. 
Wing  and  J.  Woodcock  and  J.  Davies,  editor. 
Formal  Methods  World  Congress,  Vol.  I,  pages 
776-793,  Toulouse,  France,  1999.  Springer 
LNCS  1708. 

G.  Lowe.  Breaking  and  £xing  the  Needham- 
Schroeder  public-key  protocol  using  CSP  and 
FDR.  In  2nd  International  Workshop  on  Tools 
and  Algorithms  for  the  Construction  and  Anal¬ 
ysis  of  Systems.  Springer- Verlag,  1996. 

M.  Luby.  Pseudorandomness  and  Crypto¬ 
graphic  Applications.  Princeton  Computer 
Science  Notes,  Princeton  University  Press, 
1996. 


time.  In  Proc.  39-th  Annual  IEEE  Symposium 
on  Foundations  of  Computer  Science,  pages 
725-733,  Palo  Alto,  California,  1998.  IEEE 
Computer  Society  Press. 

[NS78]  R.  Needham  and  M.  Schroeder.  Using  en¬ 
cryption  for  authentication  in  large  networks 
of  computers.  Communications  of  the  ACM, 
21(12):993-9,  1978. 

[Pau97a]  L.C.  Paulson.  Mechanized  proofs  for  a 
recursive  authentication  protocol.  In  1 0th 
IEEE  Computer  Security  Foundations  Work¬ 
shop,  pages  84-95,  1997. 

[Pau97b]  L.C.  Paulson.  Proving  properties  of  security 
protocols  by  induction.  In  lOth  IEEE  Com¬ 
puter  Security  Foundations  Workshop,  pages 
70-83,  1997. 

[PWOO]  B.  Pftzmann  and  M.  Waidner.  Composition 
and  integrity  preservation  of  secure  reactive 
systems.  In  7-th  ACM  Conference  on  Com¬ 
puter  and  Communications  Security,  Athens, 
November  2000,  pages  245-254.  ACM  Press, 
2000.  Preliminary  version:  IBM  Research  Re¬ 
port  RZ  3234  (#  93280)  06/12/00,  IBM  Re¬ 
search  Division,  Zurich,  June  2000. 

[Ros95]  A.  W.  Roscoe.  Modelling  and  verifying  key- 
exchange  protocols  using  CSP  and  FDR.  In 
CSFW  VIII,  page  98.  IEEE  Computer  Soc 
Press,  1995. 

[Sch96]  S.  Schneider.  Security  properties  and  CSP.  In 
IEEE  Symp.  Security  and  Privacy,  1996. 

[Yao82]  A.  Yao.  Theory  and  applications  of  trapdoor 
functions.  In  IEEE  Foundations  of  Computer 
Science,  pages  80-91,  1982. 


C.  Meadows.  Analyzing  the  Needham- 
Schroeder  public-key  protocol:  a  comparison 
of  two  approaches.  In  Proc.  European  Sym¬ 
posium  On  Research  In  Computer  Security. 
Springer  Verlag,  1996. 

J.C.  Mitchell,  M.  Mitchell,  and  U.  Stern.  Auto¬ 
mated  analysis  of  cryptographic  protocols  us¬ 
ing  Murc/j.  In  Proc.  IEEE  Symp.  Security  and 
Privacy,  pages  141-151,  1997. 

J.C.  Mitchell,  M.  Mitchell,  and  A.  Scedrov. 
A  linguistic  characterization  of  bounded  ora¬ 
cle  computation  and  probabilistic  polynomial 


5 


Definitions  by  Rewriting 
in  the  Calculus  of  Constructions 


Frederic  Blanqui 

LRI,  bat.  490,  Universite  Paris-Sud,  91405  Orsay  Cedex,  France 
tel;  +33  (0)  1  69  15  42  35  fax:  +33  (0)  1  69  15  65  86 
blanqui61ri . f r 


Abstract  :  The  main  novelty  of  this  paper  is  to  con¬ 
sider  an  extension  of  the  Calculus  of  Constructions 
where  predicates  can  be  defined  with  a  general  form  of 
rewrite  rules. 

We  prove  the  strong  normalization  of  the  reduction 
relation  generated  by  the  p-rule  and  the  user-defined 
rules  under  some  general  syntactic  conditions  includ¬ 
ing  confluence. 

As  examples,  we  show  that  two  important  systems 
satisfy  these  conditions  :  a  sub-system  of  the  Calculus 
of  Inductive  Constructions  which  is  the  basis  of  the 
proof  assistant  Coq,  and  the  Natural  Deduction  Modulo 
a  large  class  of  equational  theories. 

1  Introduction 

This  work  aims  at  defining  an  expressive  language  al¬ 
lowing  to  specify  and  prove  mathematical  properties 
in  which  functions  and  predicates  can  be  defined  by 
rewrite  rules,  hence  enabling  the  automatic  proof  of 
equational  problems. 

The  Calculus  of  Constructions.  The  quest  for 
such  a  language  started  with  Girard’s  system  F  [19] 
on  one  hand  and  De  Bruijn’s  Automath  project  [18]  on 
the  other  hand.  Later,  Coquand  and  Huet  combined 
both  calculi  into  the  Calculus  of  Constructions  (CC) 
[10].  As  in  system  F,  in  CC,  data  structures  are  defined 
by  using  an  impredicative  encoding  which  is  difficult 
to  use  in  practice.  Following  Martin-Lof’s  theory  of 
types  [24],  Coquand  and  Paulin-Mohring  defined  an 
extension  of  CC  with  inductive  types  and  their  asso¬ 
ciated  induction  principles  as  first-class  objects  :  the 
Calculus  of  Inductive  Constructions  (CIC)  [26]  which 
is  the  basis  of  the  proof-assistant  Coq  [17]. 

Reasoning  Modulo.  Defining  functions  or  predi¬ 
cates  by  recursion  is  not  always  convenient.  More¬ 
over,  with  such  definitions,  equational  reasoning  is  un¬ 
easy  and  leads  to  very  large  proof  terms.  Yet,  for 


decidable  theories,  equational  proofs  need  not  to  be 
kept  in  proof  terms.  This  idea  that  proving  is  not 
only  reasoning  (undecidable)  but  also  computing  (de¬ 
cidable)  has  been  recently  formalized  in  a  general  way 
by  Dowek,  Hardin  and  Kirchner  with  the  Natural  De¬ 
duction  Modulo  (NDM)  for  first-order  logic  [12]. 

Object-level  rewriting.  In  CC,  the  first  exten¬ 
sion  by  a  general  notion  of  rewriting  is  the  XR-cuhe 
of  Barbanera,  Fernandez  and  Geuvers  [1].  Their 
work  extends  the  works  of  Breazu-Tannen  and  Gal- 
lier  [8]  and  Jouannaud  and  Okada  [21]  on  the  com¬ 
bination  of  typed  A-calculi  with  rewriting.  The  no¬ 
tion  of  rewriting  considered  in  [21,  1]  is  not  restricted 
to  first-order  rewriting,  but  also  includes  higher-order 
rewriting  following  Jouannaud  and  Okada's  General 
Schema  [21],  a  generalization  of  the  primitive  recur¬ 
sive  definition  schema.  This  schema  has  been  reformu¬ 
lated  and  enhanced  so  as  to  deal  with  definitions  on 
strictly-positive  inductive  types  [5]  and  with  higher- 
order  pattern-matching  [.3]. 

Predicate-level  rewriting.  The  notion  of  rewriting 
considered  in  [1]  is  restricted  to  the  object-level  while, 
in  CIC  or  NDM,  it  is  possible  to  define  predicates  by 
recursion  or  by  rewriting  respectively.  Recursion  at 
the  predicate-level  is  called  “strong  elimination”  in  [26] 
and  has  been  shown  consistent  by  Werner  [31]. 

Our  contributions.  The  main  contribution  of  our 
work  is  a  strong  normalization  result  for  the  Calcu¬ 
lus  of  Constructions  extended  with,  at  the  predicate- 
level,  user-defined  rewrite  rules  satisfying  some  general 
admissibility  conditions.  As  examples,  we  show  that 
these  conditions  are  satisfied  by  a  sub-system  of  CIC 
with  strong  elimination  [26]  and  the  Natural  Deduc¬ 
tion  Modulo  [1.3]  a  large  class  of  equational  theories. 

So,  our  work  can  be  used  as  a  foundation  for  an  ex¬ 
tension  of  a  proof  assistant  like  Coq  [17]  where  users 
could  define  functions  and  predicates  by  rew'rite  rules. 
Checking  the  admissibility  conditions  or  the  convert- 
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ibility  of  two  expressions  may  require  the  use  of  exter¬ 
nal  specialized  tools  like  CiME  [16]  or  ELAN  [15]. 

Outline  of  the  paper.  In  Section  2,  we  introduce 
the  Calculus  of  Algebraic  CJonstructions  and  our  no¬ 
tations.  In  Section  .3,  we  present  our  general  syntactic 
conditions.  In  Section  4,  we  apply  our  result  to  CIC 
and  NDM.  In  Section  5,  we  summarize  the  main  con¬ 
tributions  of  our  work  and,  in  Section  6,  we  give  future 
directions  of  work.  Detailed  proofs  can  be  found  in  [4]. 

2  The  Calculus  of  Algebraic 
Constructions  (CAC) 

2.1  Syntax  and  notations 

We  assume  the  reader  familiar  with  the  basics  of 
rewriting  [11]  and  typed  A-calculus  [2]. 

Sorts  and  symbols.  Throughout  the  paper,  we  let 
5  =  {*,  □}  be  the  set  of  sorts  where  -k  denotes  the 
impredicatrve  universe  of  propositions  and  □  a  pred¬ 
icative  universe  containing  *.  We  also  assume  given  a 
family  T  =  {^n)nV'a  of  sets  of  symbols  and  a  family 
,V  =  of  infinite  sets  of  variablfs.  A  symbol 

/  €  is  said  to  be  of  anty  o  j  =  u  and  sort  .s.  T'\ 
bF,,,  T  and  .1’  respectively  denote  the  set  of  symbols 
of  sort.  ,s,  the  set  of  symbols  of  arity  ii.  the  set  of  all 
symbols  and  the  set  of  all  variables. 

Teu’ins.  The  tf-riiis  of  the  corresponding  C.4C  are 
given  by  the  following  syntax  : 

/  ::=.s  I  ,r  |  /(f)  \  {x:f)t  \  [.r  : /]/  |  It 

where  s  G  N,  .r  G  .V  and  /  is  aj^jlied  to  a  vector  t  of  ii 
terms  if  /  G  T,,.  [.i':f"]t  is  the  abstraction  and  (.r:(')l' 
is  the  product.  A  term  is  algebraic  if  it  is  a  variable 
or  of  the  form  /(/)  with  each  t,-  algebraic. 

Notations.  ,‘\s  usual,  we  consider  terms  up  to  n- 
conversion.  We  denote  by  F\  {!)  the  set  of  free  vari¬ 
ables  of  t,  by  FV’ll)  the  set  FV{t)n.X-\  by  >-)•  »} 
the  term  obtained  by  substituting  in  1  every  free  oc¬ 
currence  of.!'  by  (/,  by  dnm(9)  the  domain  of  the  sub¬ 
stitution  0,  by  donF  [6]  the  set  doiu{0)n.X'\  by  Pos(t) 
the  set  of  positions  in  1  (words  on  the  alphabet  of  jios- 
itive  integers),  by  t\p  the  snbterm  of  i  at  position  }>. 
by  t[u]p  the  term  obtained  by  replacing  by  a  in  i. 
and  by  Pos(f,t)  and  Pos{.v,t)  the  sets  of  positions  in 
t  where  /  occurs  and  x  freely  occurs  respectively,  ,4s 
usual,  we  write  T  — >■  U  for  a  product  {x:T)U  where 
X  i  FV{U). 

Rewriting.  We  assume  given  a  set  'R.  of  rcirritc  rahs 
defining  the  symbols  in  T .  The  rules  we  consider  are 


pairs  /  — >  r  made  of  two  terms  I  and  r  such  that  I 
is  an  algebraic  term  of  the  form  /(/)  and  FV(r)  C 
FV(l).  They  induce  a  rewrite  relation  on  terms 
defined  by  t  t'  iff  there  are  p  G  Pos{t),  I  r  £ 
R.  and  a  substitution  a  such  that  /],,  =  la  and  t'  = 
t[ra]p  (matching  is  first-order).  So,  R.  can  be  seen  as 
a  particular  case  of  Combinatory  Reduction  System 
(CRS)  [2.3]  (translate  [a':T]i<  into  7\(r,  [a,']i<)  and  {x  : 
T)U  into  ri(T,  [x]C))  for  which  higher-order  pattern¬ 
matching  is  not  necessary. 

Reduction.  The  reduction  relation  of  the  calculus 
is  — >  =  — >-7j  U  where  is  defined  as  usual  by 
[.r:T’]!/ 1  —>y  ii{x  (-)■  /}.  VV'e  denote  by  — >*  its  reflexive 
and  transitive  closure,  by  f^*  its  symmetric,  reflexive 
and  transitive  closure,  and  by  i  w  the  fact  that  t 
and  (/  have  a  common  rednet. 

2.2  Typing 

Types  of  symbols.  We  asstime  given  a  function  r 
which,  to  each  symbol  /,  associates  a  term  Tf,  called 
its  type,  of  the  form  (.?  :  7')U  with  |.r|  =  ct j .  In 
contrast  with  our  own  previous  work  [5]  or  the  work 
ofBarbanera,  Fernandez  and  Geuvers  [1],  symbols  can 
have  polymorphic  as  well  as  dependent  types,  as  it  is 
the  case  in  CIC. 

Typing.  .4n  environment  F  is  an  ordered  list  of  pairs 
x,  :!)  saying  that  r,-  is  of  type  Ti.  The  typing  relation 
of  the  calculus,  h,  is  defined  by  the  rules  of  Figure  1 
(where  .s,  s'  £  S). 

.4n  environment  is  valid  if  there  is  a  term  typable  in 
it.  The  condition  F  h  (j  :  I''  in  the  (symb)  rule  insures 
that  F  is  valid  in  the  case  where  n  =  0. 

Substitutions.  Given  two  valid  environments  F  and 
A,  a  substitution  is  a  well-typed  substitution  from 
F  to  A,  written  (?  :  F  -4  A,  if,  for  all  x  £  eloin(r), 
A  F  xO  :  xVO,  where  rF  denotes  the  tyjie  associated 
to  r  in  F.  With  such  a  substitution,  if  F  h  f  :  7’  then 
A\-  to  :  TO. 

Logical  consistency.  As  usual,  the  logical  consis¬ 
tency  of  such  a  system  is  proved  in  three  st.e]!s. 

First,  we  must  make  sure  that  the  reduction  relation 
is  correct  w.r.t.  the  typing  relation  :  if  F  h  /  :  T  and 
t  t'  then  F  h  /'  :  7’.  This  property,  called  subject 
reduction,  is  not  easy  to  prove  for  extensions  of  CX' 
[31.  1].  In  the  following  subsection,  we  give  sufficient 
conditions  for  it. 

The  .second  step  is  to  prove  that  the  reduction  rela¬ 
tion  is  weakly  or  strongly  normalizing,  hence  that, 
every  well-typed  term  has  a  normal  form.  Together 
with  the  confluence,  this  imjilies  the  decidability  of  the 
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(ax) 


Figure  1:  Typing  rules 


h  *  :  □ 


(.4;'*-)A  — )■  Hst(A)  ->  list{A),  and  the  concatenation 
function  app  :  {A:-k)list{A)  — >■  lisi{A)  list[A).  To 
fulfill  the  previous  condition,  we  must  define  app  as 
follows  : 


(symb) 

f  e  Tf  =  (x  :  f)U,  7  =  {f  1-7 

F  r;  :  s  F  F  77  :  H  Vi,  F  F  /i  ;  Ta 

F  F  f[i]  ,  IP/ 

(var) 

T\-T:s  xeX^\domiT) 
T,x:T\-  x:T 

(weak) 

F  F  <  :  T  F  F  [/  :  s  .r  G  T’  \  dom(T) 

r,x-.U\-t:T 

(prod) 

T\-T:s  T,x:T\-U:s' 

T  F  {x:T)U  :  s' 

(abs) 

T,x:T\-u:U  T\-{x:T)U:s 
r  F  [.r:T]i7  :  {x:T)U 

(app) 

Thi-.(x-.U)V  FFu:// 

F  F  tu  :  V{x  H- y  «} 

( conv ) 

F  F  /  :  T  T  T  F  F  T'  :  s' 

r  F  /  :  T' 

typing  relation  which  is  essential  in  proof  assistants. 
In  this  paper,  we  will  study  the  strong  normalization 
property. 

The  third  step  is  to  make  sure  that  there  is  no  nor¬ 
mal  proof  of  T  =  (P:-k)P  in  the  empty  environment. 
Indeed,  if  T  is  provable  then  any  proposition  P  is  prov¬ 
able.  We  will  not  address  this  problem  here. 

2.3  Subject  reduction 

Proving  subject  reduction  for  —>,5  requires  the  follow¬ 
ing  property  [4]  ; 

{x:U)V  (x:U')V'  =>  U  ■H-*  U'  A  t"  -H-*  V' 

It  is  easy  to  see  that  this  property  is  satisfied  when 
— >  is  confluent,  an  assumption  which  is  part  of  our 
admissibility  conditions  described  in  the  next  section. 

For  — >-7j,  the  idea  present  in  all  previous  works  is 
to  require  that,  for  each  rule  /  -A  j’,  there  is  an  en¬ 
vironment  F  and  a  type  T  such  that  F  h  /  :  T  and 
r  h  7’  :  r.  However,  this  approach  has  an  important 
drawback  :  in  presence  of  dependent  or  polymorphic 
types,  it  leads  to  non-left-linear  rules. 

For  example,  consider  the  type  list  :  -k  -k  of  poly¬ 
morphic  lists  built  from  nil  :  {A:-k)lisi{A)  and  cons  : 


app{A,nil{A),£)  — >■  £ 

app{A,cons(A,x,£),P)  ->  cons(A,x,app(A, £,£')) 

This  has  two  important  consequences.  The  first  one 
is  that  rewriting  is  slowed  down  because  of  numer¬ 
ous  equality  tests.  The  second  one  is  that  it  may  be¬ 
come  much  more  difficult  to  prove  the  confluence  of 
the  rewrite  relation  and  of  its  combination  with  -kp. 

We  are  going  to  see  that  we  can  take  the  following 
left-linear  definition  without  loosing  the  subject  reduc¬ 
tion  property  ; 


app{A,nU{A’),£)  — >•  £ 

app(A,cons{A' ,x,  £),£')  — >■  cons{A,x,app{A,  £,£')) 


Let  I  =  app{A,cons{A' ,  x,  £),£'),  r  —  cons{A,x, 
app{A,  £,£')),  F  be  an  environment  and  cr  a  substitu¬ 
tion  such  that  F  h  /cr  :  list[Acr).  We  must  prove  that 
r  F  7’(7  :  lisi[A(T).  For  T  \-  la  :  list{Aa),  we  must  have 
a  derivation  like  : 


(symb) 


F  F  .4'(t  :  *  r  F  xa  :  A' a  F  F  fcr 


ltst{A  a  j 


(conv 


F  F  cc>??s(.4'cr,  xa,  £a)  :  list{A'a) 
list[A'a)  j,*  Hst{Aa)  F  F  list{Aa) 


(symb) 


r  F  co7?,s(.4'(7,  xa,  £a)  :  list{Aa) 
r  F  .4(7  ;  *  F  F  f'(7  :  lisi{Aa) 
F  F  /cr  :  list{Aa) 


Therefore,  ,4'cr  j.'  .4cr  and  we  can  derive  F  F  £cr  : 
.4(7,  r  F  fcr  ;  list{Aa)  and  : 


(symb) 


r  F  ,4cr  :  *  F  F  /’cr  :  Hst{Aa)  £'a  :  lisi[Aa) 


(symb) 


F  F  app[Aa,  £a,  £'a)  ;  list{Aa) 
T  F  .4(7  :  *  F  F  i’cr  :  Ter 
F  F  7-cr  :  list{Aa) 


The  point  is  that,  although  /  is  not  typable,  from  any 
typable  instance  la  of /,  we  can  deduce  that  .4'cr  Aa. 
By  this  way,  we  come  to  the  following  conditions  : 


Definition  1  (Type-preserving  rewrite  rule) 

.4  rewrite  rule  /  -^  ?■  is  type-pn serving  if  there  is 
an  environment  F  and  a  substitution  p  such  that,  if 
/  =  /(/),  Tf  =  [x  :  T)U  and  7  =  {.c  /}  then  ; 

(51)  dom{p)  C  FV{1)  \  dom(T), 

(52)  T\-lp:Ujp, 

(53)  F  F  r  :  U~fp, 

(54)  for  any  substitution  cr,  environment  A  and  type 
T,  if  A  F  /it  :  T  then  cr  :  F  — y  A, 
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(S5)  for  any  substitution  a,  environment  A  and  type 
T,  if  A  h  /(7  :  T  then,  for  all  x  £  clom{p),  xa  |* 

XpCT. 

In  our  example,  it  suflfires  to  take  F  =  .4  A,  f : 
lisi{A),  ('  :iisi{A)  and  p  =  {.4'  ,4}. 

One  may  wonder  how  to  check  these  conditions.  In 
practice,  the  symbols  are  incrementally  defined.  So. 
assume  that  we  have  a  confluent  and  strongly  normal¬ 
izing  CAC  built  over  and  T\.  and  that  we  want  to  add 
a  new  symbol  //.  Then,  given  F  and  p,  it  is  decidable 
to  check  (SI)  to  (S3)  in  the  built  over  T  U  {//} 
and  7v.  since  this  system  is  confluent  and  strongly  nor¬ 
malizing.  In  [4],  we  give  a  simple  condition  ensuring 

(54)  (F  simply  needs  to  be  well  chosen).  The  condition 

(55)  is  the  most  difficult  to  check  and  may  require  tlie 
confluence  of  — 

3  Admissibility  conditions 

3.1  Inductive  structure 

Until  now,  we  made  few  assum|)tions  on  symbols  or 
rewrite  rules.  In  particular,  we  have  no  notion  of  in¬ 
ductive  ty!:>e.  Yet,  the  structure  of  inductive  types 
plays  a  key  role  in  strong  normalization  proofs  [25]. 
On  the  other  hand,  we  want  rewriting  to  be  as  general 
as  possible  by  allowing  matching  on  defined  syml.iols 
and  equations  among  constructors.  This  is  why.  in 
the  following,  we  introduce  an  extended  notion  of  con¬ 
structor  and  a  notion  of  inductive  structure  which  gen¬ 
eralize  usual  definitions  of  inductive  types  [26].  Note 
that,  in  contrast,  with  our  previous  work  [5],  we  allow 
inductive  types  to  be  polymorphic  and  dependent,  as 
it  is  the  case  in  CKJ. 

Definition  2  (Constructors)  Fort/  C  T.  let  Re,  be 
the  set  of  rules  defining  the  symbols  in  t),  that  is.  the 
rules  whose  left-hand  side  is  headed  by  a  symbol  iit  <J. 
The  set  of  fni  symbols  is  CAF  =  {f  T  \  Ri,j}  =  0}- 
The  set  of  defined  symbols  is  VT  =  1F\CT.  The  set  of 
constructors  of  a  free  predicate  symbol  C  is  Co(C')  = 
if  eT*  \  Tj  =  {ij  :  U)C{v)  and  |(7|  =  o;}. 

The  constructors  of  C  not  only  include  the  construc¬ 
tors  in  the  usual  sense  but  every  defined  symbol  whose 
output  type  is  C .  F’or  example,  the  symbols  0  ;  hit. 
s  :  int  — t  int ,  p  :  ini  int ,  +  '■  int  int  ini  and 
X  :  int  — t  int  — t  int  defined  by  the  rules  s{i>{x))  — >  x. 
p{s{x))  — t  and  others  for  +  and  x  are  all  construc¬ 
tors  of  the  type  int  of  integers. 

Definition  3  (Inductive  structure)  .4n  indiictire 
structure  is  given  by  : 


•  a  quasi-ordering  >jr  on  T ,  called  precedence  ,  whose 
strict  [/art,  >jr,  is  well-founded. 

•  for  each  C  £  CT°  such  that  tc  =  (•?  :  T)-k,  a  set 
Ind((')  C  {/  £  {l....ac}  j  £  .1'°}  of  inductive 
positions. 

•  for  each  constructor  c,  a  set  .4cr(r)  C  {1,..,0;.}  of 
aeressible  positions. 

The  accessible  positions  allow  the  user  to  describe 
which  patterns  can  be  used  for  defining  functions,  and 
the  inductive  positions  allow  to  describe  tlie  arguments 
on  which  the  free  predicate  symbols  should  be  mono¬ 
tone.  This  allows  us  to  generalize  tlu'  notion  of  posi¬ 
tivity  used  in  CIU. 

Definition  4  (Positive  and  negative  positions) 

The  sets  of  positive  positions  Pos'^  ('[')  and  negative 
positions  Fos~  {T)  of  a  term  T  are  mutually  defined 
by  induction  on  T  as  follows  : 

-  Pos+(s)  =  Pos-^{F{f))  =  Pos+{X)  =  {f}, 

-  Pos-(s]  =  Pos-(F{i))  =  Pos-{X)  =  0, 

-  Po.s'*((.r;l’)ir)  =  l.Pos-^  {V)U2. Pos^{\V). 

-  Po.s'^([.r:r]ir)  =  \.Pos{V)D’2.IXs^{\V), 

-  Pos^(\’u)  =  \.Pos^{V)U2.Pos{u)., 

-  Pos'\\-F)  =  l.Po.s'*(\'). 

-  Pos+idf))  =  {f}  I  i  e  Ind{C)}~ 

..  Pos-(C{n)  =:[J{i.Pos-{ti)  I  i  £  Ind{C)}- 

where  d  £  — r  =  +. 

For  exami)l(',  in  {x  :A)B,  B  occurs  positiv(4y  while 
.4  occurs  negati\ely.  Now.  with  the  type  list  of 
|/olymorphic  lists,  .4  0('curs  positively  in  list(A)  iff 
/»f/(//.s/)  =  {1). 

Definition  5  (Admissible  inductiv(^  struc.ture) 

.-\n  iuducti\('  structure  is  adiiiissible  if,  for  all 
C  £  with  n-  =  (x  :  f)*  : 

(11)  V/  £  Ind{C).  r,  £  ,V°, 

and  for  all  c  with  ry.  =  ((/  :  and  j  £  .4cc(c)  : 

(12)  V/£  Ind{C).  Pos{v,.Uj)  C  fXs+{t’j), 

(13)  VD£t’J'°.  D=jr('^Pos{l).  Fj)C  Pos  +  {Uj), 

(14)  VD  £  CF°,D  >j:  C  =>  Pos(r).  Uj)  =  0, 

(15)  VT  £  VT^.  Pos[F.  Uj)  =  0, 

(IG)  V.Y  £  Fl-°(r,).3/A  £{!....or},e,,  =  .V. 

For  example,  with  the  type  list  of  polymorphic  lists, 
Ind(llsl)  —  {Ij.  Acc{nil)  =  {1}  and  .4cc(co?;.s)  = 
{1.2.3}  is  an  admissible  inductive  structure.  If  we 
add  the  type  tree  :  *  and  tin'  const  met, f)r  node  : 
list{trfe)  — >  tree  with  Acc{iinde)  —  {!},  we  still  have 
an  admi.ssible  structure. 

The  condition  (Ki)  means  that  the  i/redicate- 
arguments  of  a  constructor  must  be  j/nrameters  of  the 
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type  they  define.  One  can  find  a  similar  condition  in 
the  work  of  Walukiewicz  [30]  (called  “T*r-dependency” ) 
and  in  the  work  of  Stefan  ova  [27]  (called  “safeness”). 

On  the  other  hand,  there  is  no  such  explicit  restric¬ 
tion  in  CIO.  But  the  elimination  scheme  is  typed  in 
such  a  way  that  no  very  interesting  function  can  be 
defined  on  a  type  not  satisfying  (16).  For  example, 
consider  the  type  of  heterogeneous  non-empty  lists  (we 
use  the  CIO  syntax  here)  listh  =  Ind[X  :  *){Ci|C2} 
where  Ci  =  (^  :  *)(*  :  A)X  and  C2  =  [A  :  ■*-)(a;  :  .4) 
X  X .  The  typing  rule  for  the  non  dependent  elim¬ 
ination  schema  (Nodep*^*)  is  : 

r  h  f  :  listh  r  h  Q  :  *  Vi,  F  h  /.■  :  Ci{listh,  Q} 
T\-  Elim{e,Q){fi\f2}:Q 

where  Ci{listh,Q}  =  {A  :  ■k)(x  :  A)Q  and 

C2{listh,Q}  =  {A  :*)(a;  :  A)listh  — >  Q  — >  Q.  Since 
Q,  fi  and  /2  must  be  typable  in  F,  the  result  of  fi 
and  /2  cannot  depend  on  A  or  on  *.  This  means  that 
it  is  possible  to  compute  the  length  of  such  a  list  but 
not  to  use  an  element  of  the  list. 

Definition  6  (Primitive,  basic  and  strictly  pos¬ 
itive  predicates)  A  free  predicate  symbol  C  is  : 

•  primitive  if,  for  all  D  C,  for  all  constructor  d  of 
type  Td  =  {y  :  U)D{w)  and  for  all  j  G  Acc(d),  Uj  is 
either  of  the  form  E{i)  with  E  <;f  D  and  E  basic, 
or  of  the  form  E[t)  with  E  =;p  D. 

•  basic  if,  for  all  D  =yr  C,  for  all  constructor  d  of 
type  Td  =  [y  :  U)D{w)  and  for  all  j  £  Acc(d),  if 
E  =:f  £>.  occurs  in  Uj  then  Uj  is  of  the  form  E(i). 

•  strictly  positive  if,  for  all  D  C,  for  all  con¬ 
structor  d  of  type  Td  =  (y  :  U)D{w)  and  for  all 
j  G  Acc(d),  if  E  =jr  D  occurs  in  Uj  then  Uj  is  of 
the  form  {z  :  V)E(t)  and  no  occurrence  of  D'  =jr  D 
occurs  in  V. 

For  example,  the  type  list  of  polymorphic  lists  is 
basic  but  not  primitive.  The  type  listint  of  lists  of 
integers  with  the  constructors  nilint  :  listint  and 
consint  :  int  — >■  listint  — >  listint  is  primitive.  And  the 
type  ord  of  Brouwer’s  ordinals  with  the  constructors 
0  :  ord,  s  :  ord  ord  and  lim  :  [nat  ord)  — >■  ord  is 
strictly  positive. 

Although  we  do  not  explicitly  forbid  to  have  non- 
strictly  positive  predicate  symbols,  the  admissibility 
conditions  we  are  going  to  describe  in  the  following 
subsections  will  not  enable  us  to  define  functions  on 
such  a  predicate.  The  same  restriction  applies  on  CIC 
while  the  system  of  Walukiewicz  [30]  is  restricted  to 
basic  predicates  and  the  XR-cuhe  [1]  or  NDM  [13]  are 
restricted  to  primitive  and  non-dependent  predicates. 
However,  in  the  following,  for  lack  of  space,  we  will 
restrict  our  attention  to  basic  predicates. 


3.2  General  Schema 

The  constructors  of  primitive  predicates  (remember 
that  they  include  all  symbols  whose  output  type  is  a 
primitive  predicate),  defined  by  usual  first-order  rules, 
are  easily  shown  to  be  strongly  normalizing  since  the 
combination  of  first-order  rewriting  with  preserves 
strong  normalization  [8]. 

On  the  other  hand,  in  the  presence  of  higher-order 
rules,  few  techniques  are  known  : 

•  Van  de  Pol  [28]  extended  to  the  higher-order  case 
the  use  of  strictly  monotone  interpretations  .  This 
technique  is  very  powerful  but  difficult  to  use  in 
practice  and  has  not  been  studied  yet  in  type  sys¬ 
tems  richer  than  the  simply-typed  A-calculus. 

•  Jouannaud  and  Okada  [21]  defined  a  syntactic  crite¬ 
rion,  the  General  Schema,  which  extends  primitive 
recursive  definitions.  This  schema  has  been  refor¬ 
mulated  and  enhanced  to  deal  with  definitions  on 
strictly-positive  types  [6],  to  higher-order  pattern¬ 
matching  [3]  and  to  richer  type  systems  with  object- 
level  rewriting  [1,  5]. 

•  Jouannaud  and  Rubio  [22]  extended  to  the  higher- 
order  case  the  u.se  of  Dershowitz’s  recursive  path 
ordering.  The  obtained  ordering  can  be  seen  as  a 
recursive  version  of  the  General  Schema  and  has 
been  extended  by  Walukiewicz  [30]  to  the  Calculus 
of  Constructions  with  object-level  rewriting. 

Here,  we  present  an  extension  of  the  General  Schema 
defined  in  [5]  to  deal  with  type-level  rewriting,  the 
main  novelty  of  our  paper. 

The  General  Schema  is  based  on  Tait  and  Girard’s 
computability  predicate  technique  [19]  for  proving  the 
strong  normalization  of  the  simply-typed  A-calculus 
and  system  F.  This  technique  consists  in  interpret¬ 
ing  each  type  T  by  a  set  [T]  of  strongly  normalizable 
terms,  called  computable  ,  and  in  proving  that  t  G  fT] 
whenever  T  t  :  T. 

The  idea  of  the  General  Schema  is  then  to  define, 
from  a  left-hand  side  of  rule  /(/),  a  set  of  right-hand 
sides  r  that  are  computable  whenever  the  h's  are  com¬ 
putable.  This  set  is  built  from  the  variables  of  the 
left-hand  side,  called  accessible ,  that  are  computable 
whenever  the  /,’s  are  computable,  and  is  then  closed 
by  computability-pre.serving  operations. 

For  the  sake  of  simplicity,  two  sequences  of  argu¬ 
ments  of  a  symbol  /  will  be  compared  in  a  lexico¬ 
graphic  manner.  But  it  is  possible  to  do  these  com¬ 
parisons  in  a  multiset  manner  or  with  a  simple  combi¬ 
nation  of  lexicographic  and  multiset  comparisons  (see 
[4]  for  details). 
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De^finition  7  (Accessibility)  A  pair  (ii.U)  is  ac¬ 
cessible  in  a  pair  {t,T),  written  (t.T)  >i  {u,U),  if 
{t,T)  =  (c(?7),  C'(i^)7)  a>id  {u,U)  =  {vj,Uj~f)  with  c 
a  constructor  of  type  =  (y  :  U)C{v),  7  =  {?7  !->  »} 
and  j  G  Acc(c). 

For  example,  in  the  definition  of  app  previously 
given,  .4',  x  and  (  are  all  acce.ssible  in  t  = 
cons(A',x.(]  :  {i ,iist{A))  t>i  (.4',*),  (/,//.st(.4))  t>i 
(.r,  ,4')  and  {t,Hst{A))  t>i  {C,lisi(A')). 

Definition  8  (Derived  type)  Let  t  be  a  term  of  the 
form  la  with  I  =  /(/)  algebraic,  Tf  —  [x  :  T)U  and 
7  =  {F  /}.  Let  p  G  Pos[l)  with  p^  z.  The  subterm 
t\p  of  t  has  a  derived  type,  T{t,p),  defined  as  follows  : 

-  if  p  =  )■  then  T{t,p)  =  Ti^/a, 

-  if  p  =  if]  and  r;  ^  £  then  r(/,p)  =  T{li,q). 

Definition  9  (Well-formed  rule)  Let  ft  =  (/  — t  r, 
r,p)  be  a  rule  with  I  =  /(/),  Tf  =  (f  ;  f)U  and 
7  =  {F  /}.  The  rule  ft  is  well-formed  if,  for  all 
X  G  dom{T),  there  is  i  <  oj  and  pj.  G  fto.s(,r./,)  such 
that  {li,Ti~i)  t>i  {x,T{l.ipj-))  and  t{1.  ip,r)p  =  xF. 

Definition  10  (Computable  closure)  Let  ft  = 
(/  ->  r,  I'lnp)  be  a  rule  with  I  —  /(/),  Tf  =  (,F  :  f)l' 
et  7  =  {,?  (-4  /).  The  order  >  on  the  arguments  of  / 
is  the  lexicographic  extension  of  The  computable 
closure  of  R  is  the  relation  I7.  defined  by  t!ie  rules  of 
Figure  2. 

Definition  11  (General  Schema)  A  rule  (/(/“)  -> 
r,  r,p)  with  Tj  =  {x  :  T)U  and  7  =  {,?  >-4  /}  sati.sfies 
the  General  Schema  if  it  is  well-formed  and  F  It-  r  : 

Pip¬ 
it  is  easy  to  check  that  the  rules  for  ap/»  are  well- 
formed  and  that  F  b-  cons(A,  x ,  app{A,  ( .  ('))  :  list(A). 
For  example,  we  show  that  F  if-  app{A,  (,  C)  :  lisi{A)  : 


F  b-  .4  :  * 

rb'*:a  F  b- /bs7(.4)  :  * 
rb'.4:*  rh(:list{A)  V  I' :  lis1{A) 
{cous(ASx.(),lis1{A))  >  {(.list(A)) 

Fb-  app{A.(J') 

3.3  Admissibility  conditions 

Definition  12  (R,ewrite  systems)  Let  Q  be  a  set  of 
symbols.  The  re  write  system  (C/,'Rc,)  is  : 

•  algebraic  if  : 


Figure  2:  Computable  closure 


(acc) 

Fo  b  -cro  :  s  .r  G  dom'RTo) 

Fo  b  a'  :  aTo 

(ax) 

Fo  b  *  :  C 

g  G  R;],  Tg  =  (y  :  U)V,  7  =  {?7h4  t7} 

(symb^ ) 

g  <yr  f  F  b  7-g  ;  .s  V/,  F  b  Ui  ■  Ua 

F  b  g{u)  ■■  V’7 

g  eR;],  Tg  =  {y  :  U)V,  7  =  {y  h4  t7} 

g  -T  f  F  b  Tg  :  s  Mi,  T  b  w;  :  C,-7 

(symb“ ) 

r  b  g{u)  ■■  Vi 

(var) 

r  b  T  :  s  a  G  A’-'  \  FV{1) 

r,x-.TRx:T 

( weak ) 

FRi  -T  FhU  :  .s  x  G  R'  \  FV{1) 

F,  a :  U  b  t  ■  T 

(prod) 

FRT-.s  F,x-.ThF-s' 

F  b  {x:r)U  :  s' 

(abs) 

F.x:TRu-.U  F  h  (x  ■.T)(t s 

F  b  [■i--.T]u  ;  (.r;r)t/ 

(•IPP) 

FRI  :{x:U)V  F  h  u  :  U 

F  b  C/  ;  V’  { j.’  t-4  » } 

(con) 

F  b  /  :  T  T  r  F  b  T'  ;  s' 

F  b  /  :  T' 

-  Q  is  made  of  predicate  symbols  or  of  constructors 
of  primitive  jDredicates, 

-  all  rules  of  Re,  have  an  algebraic  right-hand  side; 

•  non-duplicating  if,  for  all  /  ^  G  Re, ,  no  variable 
has  more  occurrences  in  r  than  in  /; 

•  primitive  if,  for  all  rule  /  -4  r  G  R-c .  r  is  of  the 
form  [F  :  7']r/(i7)c  with  g  belonging  to  Q  or  g  being 
a  primitive  ])redicate  symbol; 

•  simple  if,  for  all  //(/)  -4  r  G  Rc,  '■ 

-  all  the  symbols  occuring  in  /  are  free, 

-  for  all  sequence  of  terms  t.  at  most  one  rule  can 
a])];)ly  at  the  top  of  r/(t), 

-  for  all  rule  //(/)  -4  c  G  Rc,  and  all  >'  G  FV°{r), 
there  is  a  uniciue  uy  such  that  Ry  =  V’; 

•  i>osttire  if,  for  all  /  — t  /■  G  Rc,  and  all  y  G  (I. 
Fos{g,r)  C  Pos'^{r)-, 
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•  recursive  if  all  the  rules  of  TZg  satisfy  the  General 
Schema; 

•  safe  if,  for  all  {g(l)-^r,  F,  p)  G  TZg  with  Tg  —  (x  :  T) 
U  and  7  =  {£  !->■  /}  : 

-  for  all  A'  £FV°{fU),  .Y7/5  G  dom°{T), 

~  for  all  X.,X'eFV°{fU),  X'jp  =  X''fp  ^  X  =  X'. 

Definition  13  (Admissible  CAC)  A  CAC  is  ad¬ 
missible  if  : 

(Al)  U  is  confluent; 

(A2)  its  inductive  structure  is  admissible; 

(A3)  {T>F°  ,'Rv:f°)  is  either  : 

-  primitive, 

-  simple  and  positive, 

-  simple  and  recursive; 

(A4)  there  is  a  partition  Fa  ^  Fna  of  VF  (algebraic 
and  non-algebraic  symbols)  such  that  : 

-  (Fa.'R.j^^)  is  algebraic,  non-duplicating  and 
strongly  normalizing, 

-  no  symbol  of  Fna  occurs  in  the  rules  of 

-  {F„adRr„a)  recursive. 

The  simplicity  condition  in  (A3)  extends  to  the  case 
of  rewriting  the  restriction  in  CIC  of  strong  elimination 
to  “smair'  inductive  types,  that  is,  to  the  types  whose 
constructors  have  no  predicate-arguments  except  the 
parameters  of  the  type. 

The  safeness  condition  in  (A4)  means  that  one  can¬ 
not  do  pattern-matching  dr  equality  tests  on  predicate- 
arguments  that  are  necessary  for  typing  other  argu¬ 
ments.  In  her  extension  of  HORPO  to  the  Calculus 
of  Constructions,  Walukiewicz  requires  similar  condi¬ 
tions  [30]. 

The  non-duplication  condition  in  (A4)  ensures  the 
modularity  of  the  strong  normalization.  Indeed,  in 
general,  the  combination  of  two  strongly  normalizing 
rewrite  systems  is  not  strongly  normalizing. 

Now,  for  proving  (Al),  one  can  use  the  following 
result  of  van  Oostrom  [29]  (remember  that  Tv.Ud  can  be 
seen  as  a  CRS  [23])  :  the  combination  of  two  confluent 
left-linear  CRS’s  having  no  critical  pairs  between  each 
other  is  confluent.  So,  since  is  confluent  and  7v.  and 
/i  cannot  have  critical  pairs  between  each  other,  if  Tv.  is 
left-linear  and  confluent  then  —>75  U  -^p  is  confluent. 
Therefore,  our  conditions  (SI)  to  (S5)  are  very  useful 
to  eliminate  the  non-linearities  due  to  typing  reasons. 

We  can  now  state  our  main  result.  You  can  find  a 
detailed  proof  in  [4], 

Theorem  14  (Strong  normalization)  Any  admis¬ 
sible  CAC  is  strongly  normalizing. 

The  proof  is  based  on  Coquand  and  Gallier’s  exten¬ 
sion  to  the  Calculus  of  Constructions  [9]  of  Tait  and 


Girard’s  computability  predicate  technique  [19],  As 
explained  before,  the  idea  is  to  define  an  interpreta¬ 
tion  for  each  type  and  to  prove  that  each  well-typed 
term  belongs  to  the  interpretation  of  its  type. 

The  main  difficulty  is  to  define  an  interpretation  for 
predicate  symbols  that  is  invariant  by  reduction,  a  con¬ 
dition  required  by  the  type  conversion  rule  (conv). 

Thanks  to  the  positivity  conditions,  the  interpreta¬ 
tion  of  a  free  predicate  symbol  can  be  defined  as  the 
least  fixpoint  of  a  monotone  function  over  the  lattice 
of  computability  predicates. 

For  the  defined  predicate  symbols,  it  depends  on  the 
kind  of  system  (VF^  is.  If  it  is  primitive  then 

we  simply  interpret  it  as  the  set  of  strongly  normaliz¬ 
able  terms.  If  it  is  positive  then,  thanks  to  the  posi¬ 
tivity  condition,  we  can  interpret  it  as  a  least  fixpoint. 
Finally,  if  it  is  recursive  then  we  can  define  its  inter¬ 
pretation  recursively,  the  General  Schema  providing  a 
w'ell-founded  definition. 

4  Examples 

4.1  Calculus  of  Inductive  Construc¬ 
tions 

We  are  going  to  see  that  we  can  apply  our  strong  nor¬ 
malization  theorem  to  a  sub-system  of  CIC  [26]  by 
translating  it  into  an  admissible  CAC.  The  first  com¬ 
plete  proof  of  strong  normalization  of  CIC  (with  strong 
elimination)  is  due  to  Werner'  [31]  who,  in  addition, 
considers  ?;-reductions  in  the  type  conversion  rule. 

In  CIC,  one  has  strictly-positive  inductive  types  and 
the  corresponding  induction  principles.  We  recall  the 
.syntax  and  the  typing  rules  of  CIC  but,  for  the  sake 
of  simplicity,  we  will  restrict  our  attention  to  basic  in¬ 
ductive  types  and  non-dependent  elimination  schemas. 
For  a  complete  presentation,  see  [4], 

•  Inductive  types  are  denoted  by  Ind{X  :  A){C'} 
where  the  Cfs  are  the  types  of  the  constructors. 
The  term  .4  must  be  of  the  form  (T  :  A)*  and  the 
C,’s  of  the  form  (r  :  B)Xm. 

•  The  /-th  constructor  of  an  inductive  type  I  is  de¬ 
noted  by  Constr(i,  I). 

•  R.ecursors  are  denoted  by  Elim(FQ<a.,c)  where  I 
is  the  inductive  type,  Q  the  type  of  the  result,  a  the 
arguments  of  I  and  c  a  term  of  type  la. 

The  typing  rules  for  these  constructions  are  given  in 
Figure  3.  The  rules  for  the  other  constructions  are  the 
same  as  for  the  Calculus  of  Constructions. 

If  Gi  =  (z:  B)Xm  then  Ci{F  Q]  denotes  (z:  B){F  : 
B{X  I— >■  Q})  Qm.  The  reduction  relation  associated  to 
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Figure  3:  Typing  rules  of  CIC 
Vi,  r,  A'  :  .4  F  Q  :  -x 

(Ind*)  - - 

Fh  Ind{X  ■.A){C]  :  A 


F  h  /  =  Ind{X:A){C}  ;  A 

rh  7)  :0(.v«;) 


Tlie  /-reduction  is  translated  by  the  following  rules  : 

SEIimf  {f,d.Cdm.slr'i{h))  — >■  fibb' 
W'EliiiiiiQ,  f.d.C'oustr){b))  fibb' 

where,  if  C’/  =  (f  :  B)Xm.  then  6'  =  SElinif  (/,  a',  bj) 
(or  WElinijlQ.  f,d'  .bj))  if  Bj  =  Xa',  and  6'  =  bj 
otherwise. 


(Nodep*,A 


Th  c  :Ja  F  h  Q  :  (.r  :  A)s 
Vi,  Fh/,- 

F  F  £7i/7?(/,  Q,  f7,  (■){/}  :  Qn 


Elim  is  called  i-reduction  and  is  defined  as  follows  : 

Elim{E  Q,  a,  Con.str(i,  /')  b){f}  — /,  h  b' 

where,  if  C,-  =  (r  :  B)Xm.  then  6'-  =  Elim(I ,Q,d' .bj) 
if  Bj  =  Xd' ,  and  6'-  =  bj  otherwise. 

Now,  we  consider  the  sub-system  CIC“  obtained  by- 
applying  the  following  restrictions  : 

•  In  the  typing  rules  (Ind*)  and  (Constr).  we  assume 
that  F  is  empty  since,  in  C.4C',  the  types  of  the 
symbols  must  be  typable  in  the  emirty  environment. 

•  In  the  rule  (Nodep**)  (the  one  for  weak  elimina¬ 
tion),  we  require  Q  to  be  typable  in  the  empty  en¬ 
vironment. 

•  In  the  rule  (Nodei)*,a)  (the  one  for  strong  elimina¬ 
tion),  instead  of  requiring  F  F  Q  :  (.?  :  .-!)□  which  is 
not  possible  in  the  Calculus  of  Constructions  since 
□  is  not  typable,  we  require  Q  to  be  a  clo.sed  term 
of  the  form  [.f  :  A]A'  with  K  of  the  form  (tj  :  U)x. 

•  We  assume  that  every  inductive  type  satisfies  (16). 

Theorem  15  CIC“  cau  be  translated  into  an  admis¬ 
sible  CAC,  hence  is  strongly  normalizing. 

We  define  the  translation  (  )  by  induction  on  the 
size  of  terms  : 

•  Let  I  =  Ind{X  :  A){C}.  We  define  (I)  =  [,r  :  (.4)] 
/7/f//(.f)  where  Indj  is  a  symbol  of  type  (,?:(A))*. 

•  By  assumption,  C'i  =  (5*  :  B)Xm.  We  define 

{Cons1r{i,  I))  =  :  B]Con.s1r‘j{:)  where  Consir) 

is  a  symbol  of  type  (5* :  {B))  1  n d j  [{lYi)) . 

•  Let  7)  =  C'i{I.Q].  If  Q  =  [F  :  A]7\  then  we  de¬ 
fine  {Elini[EQ.d,c){f])  =  SElim^  ({f).{d),(c)) 
where  SEliiiif  is  a  symbol  of  type  (/:(T))  (.r:(.4)) 
(A'),  Otherwise,  we  define  {Elini{I .  Q .  d,c){f})  = 
WEIinii({Q).{f).{d).{c))  where  WEIini!  is  a  sym¬ 
bol  of  type  ((?:(A})(/:(70)(.r:(.4))((?).F, 

•  The  other  terms  arc  defined  rccursivelv  ((i/c)  = 

(//)(/-),...), 


Now,  we  are  left  to  check  the  admissibility  : 

(Al)  is  orthogonal,  hence  confluent  [29], 

(.-\2)  The  inductive  structure  defined  by  I  <jr  J  if  7  is 
a  subterm  of  .7,  lnd[lndi)  =  0,  .AcclCon.str’j)  = 
|f|}  if  C'i  =  (c  ;  B)Xiri.  is  admissible. 

(.\3)  The  rules  defining  the  strong  rccursors  form  a 
simirle  (they  arc  defined  by  case  on  each  construc¬ 
tor  and  only  for  small  inductive  types)  and  re¬ 
cursive  rewrite  system  (they  satisfy  the  Ceneral 
Schema). 

(.44)  'I'h('  rules  defining  the  recursors  form  a  safe  (ex¬ 
cept  for  the  constructor,  all  the  arguments  are 
distinct  variables)  and  recursive  rewrite  system 
(they  satisfy  the  (huieral  Schema). 


4.2  Natural  Deduction  Modulo 

NDM  for  first-order  logic  [12]  can  b('  presented  as  an 
extension  of  Natural  Deduction  with  the  additional  in- 
fer/'uce  ruh'  : 


I'  F  A 
r  F 


if  P  =  Q 


where  =  is  a  congruence  relation  on  propositions.  This 
is  a  powerful  extension  of  first-order  logic  since  both 
higher-order  logic  and  set  theory  with  a  conqu-ehension 
symbol  can  be  described  in  this  framework  (by  using 
explicit  substitutions). 

In  [13],  Dowek  and  Werner  study  the  termiuatiou  of 
cut-elimination  in  the  case  where  =  is  induced  by  a 
confluent  and  weakly-normalizing  rewrite  system.  In 
particular,  they  prove  the  termination  in  two  general 
cases  :  when  the  rewrite  system  is  ])ositive  and  when 
it  is  (|uantifier-free.  In  [14],  they  provide  an  exam|)le 
of  confluent  and  weakly  normalizing  rewrite  system  for 
whicli  cut-elimitiation  is  not  terminating.  The  problem 
comes  from  the  fact  that  the  elimination  ruh’  for  V 
introduces  a  substitution  : 


F  F  V.v.P(.r) 

VC  P{l) 

Thus,  when  a  pri'dicate  symbol  is  defined  by  a  rule 
whose  right-hand  side  contains  cpiant iliers,  its  coml)i- 
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nation  with  /?  may  not  preserve  normalization.  There¬ 
fore,  a  criterion  for  higher-order  rewriting  is  needed. 

Since  NDM  is  a  CAC  (we  can  define  the  logical  con¬ 
nectors  as  inductive  types),  we  can  compare  in  more 
details  the  conditions  of  [13]  with  our  conditions. 

(Al)  In  [13],  only  — is  required  to  be  confluent.  In 
general,  this  is  not  sufficient  for  having  the  con¬ 
fluence  of  -^-ji  U  However,  if  TZ.  is  left-linear 
then  -^Ti  U  is  confluent  [29]. 

(A2)  NDM  types  are  primitive  and  form  an  admissi¬ 
ble  inductive  structure  if  we  take  them  equivalent 
in  the  relation  <j:. 

(A3)  In  [13],  the  termination  of  cut-elimination  is 
proved  in  two  general  cases  :  when  {VT° 
is  quantifier-free  and  when  it  is  positive. 
Quantifier-free  rewrite  systems  are  primitive.  So, 
in  this  case,  (A3)  is  satisfied.  In  the  positive  case, 
we  require  that  left-hand  sides  are  made  of  free 
symbols  and  that  at  most  one  rule  can  apply  at 
the  top  of  a  term.  On  the  other  hand,  we  pro¬ 
vide  a  new  case  :  {T>T° can  be  simple 
and  recursive. 

(A4)  Quantifier-free  rules  are  algebraic  and  rules  with 
quantifiers  are  not.  In  [13],  these  two  kinds  of 
rules  are  treated  in  the  same  way  but  the  counter¬ 
example  given  in  [14]  shows  that  they  should  not. 
In  CAC,  we  require  that  the  rules  with  quantifiers 
satisfy  the  General  Schema. 

Theorem  16  A  NDM  system  satisfying  (Al),  (A3) 
and  (A4)  is  admissible,  hence  strongly  normalizing. 

4.3  CIC  +  Rewriting 

As  a  combination  of  the  two  previous  applications,  our 
work  shows  that  the  extension  of  CIC“  with  user- 
defined  rewrite  rules,  even  at  the  predicate- level,  is 
sound  if  these  rules  follow  our  admissibility  conditions. 

As  an  example,  we  consider  simplification  rules  on 
propositions  that  are  not  definable  in  CIC.  Assume 
that  we  have  the  symbols  V:*— A:*— >■*, 
-1  J_  T  :  and  the  rules  : 

TVP->T 

PVT-)-T  PA±-^± 

-(P  A  Q) V -Q  -,(PvQ) -PA-.Q 

The  predicate  constructors  V,  A,  ...  are  all  primitive. 
The  rewrite  system  is  primitive,  algebraic,  strongly 
normalizing  and  confluent  (this  can  be  automatical!}' 
proved  by  CiME  [16]).  Since  it  is  left-linear,  its  combi¬ 
nation  with  — is  confluent  [29].  Therefore,  it  is  an  ad¬ 
missible  CAC.  But  it  lacks  many  other  rules  [20]  which 


requires  rewriting  modulo  associativity  and  commuta¬ 
tivity,  an  extension  we  leave  for  future  work. 

5  Conclusion 

We  have  defined  an  extension  of  the  Calculus  of  Con¬ 
structions  by  functions  and  predicates  defined  with 
rewrite  rules.  The  main  contributions  of  our  work  are 
the  following  : 

•  We  consider  a  general  notion  of  rewriting  at  the 
predicate-level  which  generalizes  the  “strong  elimi¬ 
nation”  of  the  Calculus  of  Inductive  Constructions 
[26,  31].  For  example,  we  can  define  simplification 
rules  on  propositions  that  are  not  definable  in  CIC. 

•  We  consider  general  syntactic  conditions,  including 
confluence,  that  ensure  the  strong  normalization  of 
the  calculus.  In  particular,  these  conditions  are  ful¬ 
filled  by  two  important  systems  :  a  sub-system  of 
the  Calculus  of  Inductive  Constructions  which  is  the 
basis  of  the  proof  assistant  Coq  [17],  and  the  Natu¬ 
ral  Deduction  Modulo  [12,  13]  a  large  class  of  equa- 
tional  theories. 

•  We  use  a  more  general  notion  of  constructor  which 
allows  pattern-matching  on  defined  symbols  and 
equations  among  constructors. 

•  We  relax  the  usual  conditions  on  rewrite  rules  for 
ensuring  the  subject  reduction  property.  By  this 
way,  we  can  eliminate  some  non-linearities  in  left- 
hand  sides  of  rules  and  ease  the  confluence  proof. 

6  Directions  for  future  work 

•  In  our  conditions,  we  assume  that  the  predicate 
symbols  defined  by  rewrite  rules  containing  quan¬ 
tifiers  (“non-primitive”  predicate  symbols)  are  de¬ 
fined  by  pattern-matching  on  free  symbols  only 
(“.simple”  systems).  It  would  be  nice  to  be  able 
to  relax  this  condition. 

•  Another  important  assumption  is  that  the  reduc¬ 
tion  relation  — )•=— >7^  U  — >^3  must  be  confluent.  We 
will  try  to  find  sufficient  conditions  on  Tv  in  order 
to  get  the  confluence  of  -t-r  U  -^0.  In  the  simply- 
typed  A-calculus,  if  Tv  is  a  first-order  rewrite  system 
then  the  confluence  of  T7.  is  a  sufficient  condition  [7]. 
But  few  results  are  known  in  the  case  of  a  richer  type 
system  or  of  higher-order  rewriting. 

•  Finally,  we  expect  to  extend  this  work  with  rewrit¬ 
ing  modulo  some  useful  equational  theories  like  as¬ 
sociativity  and  commutativity,  and  also  by  allowing 
7?-reductions  in  the  type  conversion  rule. 
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Abstract 

Decision  procedures  for  equality  in  a  combination  of 
theories  are  at  the  core  of  a  number  of  verification  sys¬ 
tems.  Shostak’s  decision  procedure  for  equality  in  the 
combination  of  solvable  and  canonizable  theories  has 
been  around  for  nearly  two  decades.  Variations  of  this 
decision  procedure  have  been  implemented  in  a  num¬ 
ber  of  systems  including  STP,  Ehdm,  PVS,  STeP,  and 
SVC.  The  algorithm  is  quite  subtle  and  a  correctness 
argument  for  it  has  remained  elusive.  Shostak’s  algo¬ 
rithm  and  all  previously  published  variants  of  it  yield 
incomplete  decision  procedures.  We  de.scribe  a  variant 
of  Shostak’s  algorithm  along  with  proofs  of  termina¬ 
tion,  soundness,  and  completeness. 


1  Introduction 

In  1984,  Shostak  [Sho84]  published  a  decision  pro¬ 
cedure  for  the  quantifier-free  theory  of  equality  over 
uninterpreted  functions  combined  with  other  theories 
that  are  canonizable  and  solvable.  Such  algorithms 
decide  statements  of  the  form  T  h  a  =  b,  where  T 
is  a  collection  of  equalities,  and  T ,  a,  and  b  contain  a 
mixture  of  interpreted  and  uninterpreted  function  sym¬ 
bols.  This  class  of  statements  includes  a  large  fraction 
of  the  proof  obligations  that  arise  in  verification  includ¬ 
ing  those  involving  extended  typechecking,  verification 
conditions  generated  from  Hoare  triples,  and  inductive 
theorem  proving.  Shostak’s  procedure  is  at  the  core  of 
several  verification  systems  including  STP  [SSMS82], 
Ehdm  [EHD93],  PVS  [ORS92],  STeP  [MT96,  Bj099], 
and  SVC  [BDL96].  The  soundness  of  Shostak’s  algo¬ 
rithm  is  reasonably  straightforward,  but  its  complete- 

"This  work  was  supported  by  SRI  International,  and  by  NSF 
Grant  CCR-0082560,  DARPA/AFRL  Contract  F33615-00-C- 
3043,  and  NASA  Contract  NASl-0079. 


ness  has  steadfastly  resisted  proof.  The  proof  given 
by  Shostak  [Sho84]  is  seriously  flawed.  Despite  its  sig¬ 
nificance  and  popularity,  Shostak’s  original  algorithm 
and  its  subsequent  variations  [CLS96,  BDL96,  Bj099] 
are  all  incomplete  and  potentially  nonterminating.  We 
explain  the  ideas  underlying  Shostak’s  decision  proce¬ 
dure  by  presenting  a  correct  version  of  the  algorithm 
along  with  rigorous  proofs  for  its  correctness. 

If  the  terms  in  a  conjecture  of  the  form  T  h 
a  =  6  are  constructed  solely  from  variables  and  un¬ 
interpreted  function  symbols,  then  congruence  clo¬ 
sure  [NO80,  Sho78,  DST80,  CLS96,  Kap97,  BRRT99] 
can  be  used  to  partition  the  subterms  into  equivalence 
classes  respecting  T  and  congruence.  For  example, 
when  congruence  closure  is  applied  to 

f{x)  =  f{x)\-  f{x)=f{x), 

the  equivalence  classes  generated  by 
the  antecedent  equality  are  {x] ,  {f  {x) ,  f  {x) ,  p {x)] , 
and  {/-(a;),  /^(x)}.  This  partition  clearly  validates  the 
conclusion  P{x)  =  f[x). 

In  practice,  a  conjecture  T  h  a  =  b  usually  con¬ 
tains  a  mixture  of  uninterpreted  and  interpreted  func¬ 
tion  symbols.  Semantically,  uninterpreted  functions 
are  unconstrained,  w^hereas  interpreted  function  are 
constrained  by  a  theory,  i.e.,  a  closure  condition  with 
respect  to  consequence  on  a  set  of  equalities.  An  ex¬ 
ample  of  such  an  assertion  is 

f{x—l)  —  l  =  a;-f  1,  /(yj-i-i  =  y  —  l,  y  +  l  =  x\-  false, 

where  -F,  and  the  numerals  are  from  the  theory  of 
linear  arithmetic,  false  is  an  abbreviation  for  0  =  1, 
and  /  is  an  uninterpreted  function  symbol.  The  con¬ 
tradiction  here  cannot  be  derived  solely  by  congruence 
closure  or  linear  arithmetic.  Linear  arithmetic  is  used 
to  show  that  a;  -  1  =  y  so  that  f{x  -  1)  =  f{y)  follows 
by  congruence.  Linear  arithmetic  can  then  be  used  to 
show  that  X  -\-  2  =  y  —  2  which  contradicts  y  -\-l  =  x. 
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Nelson  and  Oppen  [N079]  showed  how  decision  pro¬ 
cedures  for  disjoint  equational  theories  could  be  com¬ 
bined.  Since  linear  arithmetic  and  uninterpreted  equal¬ 
ity  are  disjoint,  this  method  can  be  applied  to  the 
above  example.  First,  variable  abstraction  is  used 
to  obtain  a  theory-wise  partition  of  the  term  uni¬ 
verse,  i.e.,  the  subterms  of  T,  a,  and  b,  in  a  con¬ 
jecture  T  F  a  =  6.  The  uninterpreted  equality  the¬ 
ory  Q  then  consists  of  the  terms  {f{u),f{y),w,z}  and 
the  equalities  {ic  =  f{u),z  =  /(y)},  and  the  linear 
arithmetic  theory  L  consists  of  the  terms  {u,  x,y,x- 
l,w  -  l,x  -I-  1,2  -h  l,y  -  1,2/  +  1}  and  the  equalities 
{u  =  X  —  l,iv  —  I  =  X  +  I,  z  1  —  y  —  1,2/  +  1  =  x}. 
The  key  observation  is  that  once  the  terms  and  equal¬ 
ities  have  been  partitioned  using  variable  abstraction, 
the  two  theories  L  and  Q  need  exchange  only  equalities 
between  variables.  Thus,  linear  arithmetic  can  be  used 
to  derive  the  equality  u  =  y,  from  which  congruence 
closure  derives  w  =  z,  and  the  contradiction  then  fol¬ 
lows  from  linear  arithmetic.  Since  the  term  universe 
is  fixed  in  advance,  there  are  only  a  bounded  number 
of  equalities  between  variables  so  that  the  propagation 
of  information  between  the  decision  procedures  must 
ultimately  converge. 

The  Nelson-Oppen  combination  procedure  has  some 
disadvantages.  The  individual  decision  procedures 
must  carry  out  their  own  equality  propagation  and  the 
communication  of  equalities  between  decision  proce¬ 
dures  can  be  expensive.  The  number  of  equalities  is 
quadratic  in  the  size  of  the  term  universe,  and  each 
closure  operation  can  itself  be  linear  in  the  size  of  the 
term  universe. 

Shostak’s  algorithm  tries  to  gain  efficiency  by  main¬ 
taining  and  propagating  equalities  within  a  single  con¬ 
gruence  closure  data  structure.  Equalities  involving 
interpreted  symbols  contain  more  information  than 
uninterpreted  equalities.  For  example,  the  equality 
y-\-\=x  cannot  be  processed  by  merely  placing  ?/  +  1 
and  X  in  the  same  equivalence  class.  This  equality 
also  implies  that  y  —  x  -  y  -  x  =  -I,  x  -  y  — 

2/  -t-  3  =  X  -f  2,  and  so  on.  In  order  to  avoid  processing 
all  these  variations  on  the  given  equality,  Shostak  re¬ 
stricts  his  attention  to  solvable  theories  where  an  ecjual- 
ity  of  the  form  y  1  =  x  can  be  solved  for  x  to  yield 
the  solution  x  =  y  -I-  1.  If  the  theories  considered  arc 
also  canonizable,  then  there  is  a  canonizer  a  such  that 
whenever  an  equality  a  =  6  is  valid,  then  a(a)  =  o-(b), 
where  =  represents  syntactic  equality.  A  canonizer  for 
linear  arithmetic  can  be  defined  to  place  terms  into  an 
ordered  sum-of-monomials  form.  Once  a  solved  form 
such  as  X  =  y-t-1  has  been  obtained,  all  the  other  con¬ 
sequences  a  =  6  of  this  equality  can  be  obtained  by 
(T(a')  =  a(b')  where  a'  and  b'  are  the  results  of  sub¬ 


stituting  the  solution  for  x  into  a  and  b,  respectively. 
For  example,  substituting  the  solution  into  y  =  x  -  1 
yields  y  =  y  -h  1  -  1,  and  the  subsequent  canonization 
step  yields  y  =  y- 

The  notion  of  a  solvable  and  canonizable  theory  is 
extended  to  equalities  involving  a  mix  of  interpreted 
and  uninterpreted  symbols  by  treating  uninterpreted 
terms  as  variables.  For  the  conjecture, 

/(x-l)-l  =x+l,  /()/)  +  !  =  2/-T  22  +  1  =xh  false, 

Shostak’s  algorithm  woiild  solve  the  equality  f{x  -1)- 

1  =  X  -hi  as  /(x  -  1)  =  .r  -h  2,  the  equality  f{y)  -|- 1  = 
2/  -  1  as  f{y)  =  y  -  2,  and  y  +  I  =  x  as  x  =  i/  + 
1.  Now,  f{x  -  1)  and  f{y)  are  congruent  because  the 
canonical  form  for  x  -  1  obtained  after  substituting 
the  solution  x  -  y  I  is  y.  By  congruence  closure, 
the  equivalence  classes  of  /(x  -  1)  and  f{y)  have  to 
be  merged.  In  Shostak’s  original  algorithm  the  current 
representatives  of  these  equivalence  classes,  namely  x-f 

2  and  y  -  2  are  merged.  The  resulting  equality  x  -t- 
2  =  2/  “  2  is  first  solved  to  yield  x  =  y  —  This  is 
incorrect  because  we  already  have  a  solution  for  x  as 
X  =  y-\-l  and  x  should  therefore  have  been  eliminated. 
The  new  solution  x  =  y  -i  contradicts  the  earlier  one, 
b\it  this  contradiction  goes  undetected  by  Shostak’s 
algorithm.  This  example  can  be  easily  adapted  to  show 
nontermination.  Consider 

f{v)  =  V,  f{u)  =  u  —  \  ,u  =  V  false. 

The  merging  of  u  and  v  here  leads  to  the  detection  of 
the  congruence  between  f{u)  and  f{v).  This  leads  to 
solving  of  u  —  1  =  V  as  ?/  =  r;  -I-  1.  Now,  the  algorithm 
merges  v  and  a  -f  1.  Since  v  occurs  in  u  -P  1,  this  causes 
u  -t-  1  to  be  merged  with  i;  -I-  2,  and  so  on. 

An  earlier  paper  by  Cyrluk,  Lincoln,  and 
Shankar  [CLS96]  gave  an  explanation  (with  minor  cor¬ 
rections)  of  Shostak’s  algorithm  for  congruence  clo¬ 
sure  and  its  extension  to  interpreted  theories.  Though 
proofs  of  correctness  for  the  combination  algorithm  are 
briefly  sketched,  the  algorithm  presented  there  is  botli 
incomplete  and  nonterminating.  Other  published  vari¬ 
ants  of  Shostak’s  algorithm  used  in  SVC  [BDL9G]  and 
STeP  [Bjo99]  inherit  these  problems. 

In  this  paper,  we  present  an  algorithm  that  fixes  the 
incompleteness  and  nontermination  in  earlier  versions 
of  Shostak’s  algorithms.  In  the  above  example,  the  in¬ 
completeness  is  fixed  by  substituting  the  solution  for 
X  into  the  terms  representing  the  different  equivalence 
classes.  Thus,  when  f{x  —  1)  and  /(?/)  are  detected  to 
be  congruent,  their  equivalenct'  classes  are  represented 
by  2/ +  3  and  y  -  2,  respectively.  The  resulting  equality 
y-f-3  =  J/-2  easily  yields  a  contradiction.  The  nonter¬ 
mination  is  fixed  by  ensuring  that  no  new  mergeable 
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terms,  such  as  u  +  2,  are  created  during  the  processing 
of  an  axiom  in  T.  Our  algorithm  is  presented  as  a  sys¬ 
tem  of  transformations  on  a  set  of  equalities  in  order  to 
capture  the  key  insights  underlying  its  correctness.  We 
outline  rigorous  proofs  for  the  termination,  soundness, 
and  completeness  of  this  procedure.  The  algorithm 
as  presented  here  emphasizes  logical  clarity  over  effi¬ 
ciency,  but  with  suitable  optimizations  and  data  struc¬ 
tures,  it  can  serve  as  the  basis  for  an  efficient  imple¬ 
mentation.  SRI’s  ICS  (Integrated  Canonizer/Solver) 
decision  procedure  package  [FORSOl]  is  directly  based 
on  the  algorithm  studied  here. 

Section  2  introduces  the  theory  of  equality,  which 
is  augmented  in  Section  3  with  function  symbols  from 
a  canonizable  and  solvable  theory.  Section  3  also  in¬ 
troduces  the  basic  building  blocks  for  the  decision 
procedure.  The  algorithm  itself  is  described  in  Sec¬ 
tion  4  along  with  some  example  hand-simulations.  The 
proofs  of  termination,  soundness,  and  completeness  are 
outlined  in  Section  5. 


2  Background 

With  respect  to  a  signature  consisting  of  a  set 
of  function  symbols  F  and  a  set  of  variables  V,  a 
term  is  either  a  variable  x  from  V  or  an  application 
/(ai,...,a„)  of  an  n-ary  function  symbol  /  from  F 
to  n  terms  ai,...,a„,  where  0  <  n.  The  metavari¬ 
able  conventions  are  that  u,  v,  x,  y,  and  z  range  over 
variables,  and  a,  b,  c,  d,  and  e  range  over  terms.  The 
metavariables  R,  S,  and  T,  range  over  sets  of  equali¬ 
ties.  The  metatheoretic  assertion  a  =  b  indicates  that 
a  and  b  are  syntactically  identical  terms.  Let  vars{a), 
vars{a  =  6),  and  vars{T)  return  the  variables  occur¬ 
ring  in  a  term  a,  an  equality  a  —  b,  and  a  set  of  equal¬ 
ities  T,  respectively.  The  operation  fa]  is  defined  to 
return  the  set  of  all  subterms  of  a. 

Some  of  the  function  symbols  are  interpreted,  i.e., 
they  have  a  specific  interpretation  in  some  given  theory 
r,  while  the  remaining  function  symbols  are  uninter¬ 
preted,  i.e.,  can  be  assigned  arbitrary  interpretations. 
A  term  /(ai,...,a„)  is  interpreted  (uninterpreted)  if 
/  is  interpreted  (uninterpreted).  A  term  e  is  non- 
interpreted  if  it  is  either  a  variable  or  an  uninterpreted 
term.  We  say  that  a  term  a  occurs  interpreted  in  a  term 
e  if  there  is  an  occurrence  of  a  in  e  that  is  not  prop¬ 
erly  within  an  uninterpreted  subterm  of  e.  Likewise,  a 
occurs  uninterpreted  in  e  if  o  is  a  proper  subterm  of  an 
uninterpreted  subterm  of  e.  solvables{a)  denotes  the 
set  of  outermost  non-interpreted  subterms  of  a,  i.e.. 


those  that  do  not  occur  uninterpreted  in  a. 

solvables{f{ai,...,an))  =  \J  solvables{ai), 

i 

if  /  is  interpreted 
solvables{a)  =  {o},  otherwise 

The  theory  of  equality  deals  with  sequents  of  the 
form  T  a  =  b.  We  will  insist  that  these  sequents  be 
such  that  vars(a  =  b)  C  vars{T).  The  proof  theory 
for  equality  is  given  by  the  following  inference  rules. 

1.  Axiom:  - —  for  o  =  6  e  T. 

1  \-  a  =  b 

2.  Reflexivity:  - . 

1  r  a  =  a 

oc  *  T  \-  a  —  b 

3.  Symmetry;  - 

4.  Ttansitivity:  ^  ^  °  °  *  - Ltt' =  ^ 

J  h  O  =  c 

5.  Congruence: 

T\-  ai  =  bi  . . .  T  a„  =  b„ 

Th  /(ai,...,a„)  =  f{bi,...,b„) 

The  semantics  for  terms  is  given  by  a  model  M 
over  a  domain  D  and  an  assignment  p  for  the  vari¬ 
ables  so  that  Mlx}^  =  p{x)  and  Af|/(ai, . . .  ,a„)]p  = 
M(/)(M[oil^,...,Af[a„Ip),  and  M|alp  e  D  for  all 
a.  We  say  that  M,p  [=  o  =  6  iff  M[ajp  =  M|6|p, 

and  M  \=  a  =  b  m  M,  p  \=  a  =  b  for  all  assign¬ 

ments  p  over  vars{a  =  b).  We  write  M,p  [=  5 
when  '^a,b  :  a  =  b  e  S  D  M,p  \=  a  =  b,  and 

M,p^  T  a  =  b  when  (M,  p\=T)  D  (M,  p\=  a  =  b). 

3  Canonizable  and  Solvable  Theories 

Shostak’s  algorithm  goes  beyond  congruence  closure 
by  deciding  equality  in  the  presence  of  function  sym¬ 
bols  that  are  interpreted  in  a  theory  r  [Sho84,  CLS96]. 
The  algorithm  is  targeted  at  canonizable  and  solvable 
theories,  i.e.,  theories  that  are  equipped  with  solvers 
and  canonizers  as  outlined  below.  We  write  \=,.  a  =  b 
to  indicate  that  a  =  b  is  valid  in  theory  r.  The  canon- 
izer  and  solver  are  first  described  for  pure  r-terms,  i.e., 
without  any  uninterpreted  function  symbols,  and  then 
extended  to  uninterpreted  terms  by  regarding  these  as 
variables. 

Definition  3.1  A  theory  r  is  canonizable  if  there  is  a 
canonizer  a  such  that 
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1.  a  =  b  iff  a  {a)  =  cr{b). 

2.  a{x)  =  X. 

3.  vars{a{a))  C  vars{a). 

4-  cr(cr(a))  =  a{a). 

5.  If  cr{a)  =  f{bi,...,bn),  then  cr(6,)  =  6;  for  1  < 
i  <n. 

For  example,  a  canonizer  a  for  the  theorj^  of  linear 
arithmetic  can  he  defined  to  transform  expressions  into 
an  ordered-siim-of-monomials  normal  form.  A  term  a 
is  said  to  be  canonical  if  a{a)  =  a. 

Definition  3.2  A  model  M  is  a  cr -model  if  M  |=  n  = 
a{a)  for  any  term  a,  and  M  ^  a  =  b  for  distinct 
canonical,  variable-free  terms  a  and  b. 

Definition  3.3  A  set  of  equalities  S  and  a  =  b  are 
(T-equivalent  iff  for  all  a -models  M  and  assignments  p 
over  the  variables  in  a  and  b,  M,p  \=  a  =  b  iff  there 
is  an  assignment  p'  extending  p,  over  the  variables  in 
S,a,  and  b,  such  that  M,p'  |=  S. 

Definition  3.4  A  canonizable  theory  is  solvable  if 
there  is  an  operation  solve  such  that  solve{a  =  b)  =  ± 
if  a  =  b  is  unsatisfiable  in  any  a -model,  or  S  = 
solve{a  =  b)  for  a  set  of  equalities  S  such  that 

1.  S  is  a  set  of  n  equalities  of  the  form  Xj  =  e,-  for 
0  <  n  where  for  each  i,  0  <  i  <  n, 

(a)  Xi  G  vars{a  =  b). 

(b)  Xi  ^  vars{ej),  for  j,  0  <  j  <  n. 

(c)  Xi  ^  Xj,  for  i  ^  j  and  0  <  j  <  n. 

(d)  a{e,)  =  e,. 

2.  S  and  a  =  b  are  a -equivalent. 

A  solver  for  linear  arithmetic,  for  example,  takes  an 
equation  of  the  form 


lists,  set  algebra,  and  the  theory  of  fixed-sized  bitvec- 
tors.  In  many  cases,  the  canonizability  and  solvabil¬ 
ity  of  the  union  of  theories  (with  disjoint  signatures) 
follows  from  the  canonizability  and  solvability  of  its 
constituent  theories.'  We  do  not  address  modularity 
issues  here  but  instead  assume  that  we  already  have  a 
canonizer  and  solver  for  a  single  combined  theory. 

The  solvers  and  canonizers  characterized  above  are 
intended  to  work  in  the  absence  of  uninterpreted  func¬ 
tion  symbols.  They  arc  adapted  to  terms  containing 
uninterpreted  subterms  by  treating  these  subterms  as 
variables.  Canonizers  are  applied  to  terms  containing 
uninterpreted  subterms  by  renaming  distinct  uninter¬ 
preted  subterms  with  distinct  new  variables.  For  a 
given  term  a,  let  7  be  a  bijective  mapping  between  a 
set  of  variables  X  that  do  not  appear  in  a  and  the 
uninterpreted  subterms  of  a.  The  application  of  a  sub¬ 
stitution  7  to  a  term  a,  written  7(0],  is  defined  so  that 
7[n]  =  /(7[ni],...,7[a„])  if  a  =  /(ui , . . . ,  a„),  where 
/  is  interpreted.  If  a  is  in  the  domain  of  7,  then 
7[fl]  =  7(0),  and  otherwise,  7(0]  =  a.  Then  (T(a)  is 
7[CT(7-'[a])]. 

For  solving  equalities  containing  uninterpreted 
terms,  we  introduce,  as  with  a,  a  bijective  map  7  be¬ 
tween  a  set  of  variables  X  not  occurring  in  a  or  b,  and 
the  uninterpreted  subterms  of  a  and  b,  such  that 

solve{a  =  b)  =  7[sofi;e(7~^  [a]  =7“-' [6])]  . 

When  uninterpreted  terms  are  handled  as  above,  the 
conditions  in  Definitions  3.1  and  3.4  must  be  suitably 
adapted  by  using  solvables{a)  instead  of  vars{a). 

The  proof  theory  for  equality  is  augmented  for  can¬ 
onizable,  solvable  theories  by  the  proof  rules: 


I.  Canonization: 


2.  Solve: 


jT  b  0.  =  fT(a) 

T  \-  a  =  b  T  U  S  c  =  d 


for  any  term  a. 


if  5  = 


T\-  c  =  d 

solve{a  =  b)  ^  1.  and  vars(c  =  d)  C  vars(T). 


c  -b  aj.?.'!  a„x„  —  d  -f-  biXi  -t-  . . .  -b  b,jX„, 

where  Oi  61,  and  returns 

.xq  =  cr(  (d  -  c)/(ai  -  bi) 

+  ((b’j  -  a2)/(ai  -  bi))  *  x-? 

+  ... 

+  ((bn  -  a„)/(ai  -  bi))  *  x„). 

In  general,  solve(a  =  b)  may  contain  variables  that  do 
not  occur  in  a  =  b,  and  vice-versa. 

There  are  a  number  of  interesting  canonizable  and 
solvable  theories  including  linear  arithmetic,  the  the¬ 
ory  of  tuples  and  projections,  algebraic  datatypes  like 


3.  Solve-T:  ^  1  ^  s  'f  solve(a  =  6)  =  _L. 

7  b  false 

A  sequent  T  b  c  =  d  is  derivable  if  there  is  a  proof 
of  T  b  c  =  d  using  one  of  the  inference  rules:  axiom, 
reflexivity,  symmetry,  transitivity,  congruence,  canon¬ 
ization,  solve,  or  solve-T.  We  say  that  T  b  5  is  deriv¬ 
able  if  r  b  c  =  d  is  derivable  for  every  c  =  d  in  5. 
The  sequent  T,  5  b  c  =  d  is  just  T  U  S  b  c  =  d.  The 
weakening  and  cut  lemmas  below  are  easily  verified. 

*Tlie  general  result  on  combining  solvers  claimed  by 
Shostak  [.SlioSl]  is  incorrect,  but  there  are  some  restricted  re¬ 
sults  on  combining  equational  tinifters  [BS9f)]  that,  can  bo  ap[)lied 
here. 
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Lemma  3.5  (weakening)  If  T  C  T'  and  T  \-  a  =  b 
is  derivable,  then  T'  a  =  b  is  derivable. 

Lemma  3.6  (cut)  IfT'\-T  and  T  a  =  b  is  deriv¬ 
able,  then  T'  \-  a  =  b  is  derivable. 

Theorem  3.7  (proof  soundness)  If  T  a  =  b  is 

derivable,  then  for  any  a-model  M  and  assignment  p 
over  vars{T),  M,  p  \=  T  a  =  b. 

Proof.  By  induction  on  the  derivation  of  T  h  a  = 
b.  The  soundness  of  the  solve  rules  follows  from  the 
conditions  in  Definition  3.4.  ■ 

A  set  of  equalities  S  is  said  to  be  functional  (in 
a  left-to-right  reading  of  the  equality)  if  whenever  a  = 
b  £  S  and  a  =  b'  E  S,b  =  b' .  For  example,  the  solution 
set  returned  by  solve  is  functional.  A  functional  set 
of  equalities  can  be  treated  as  a  substitution  and  the 
associated  operations  are  defined  below.  S{a)  returns 
the  solution  for  a  if  it  exists  in  5,  and  a  itself,  otherwise. 
If  a  =  6  is  in  5  for  some  b,  then  a  is  in  the  domain  of 
5,  i.e.,  dom{S). 

a  a  —  b  £  S 
(  a  otherwise 

dom(S)  =  {a  I  3b.  a  =  b  £  S}. 
s 

The  operation  a  ~  b  checks  if  a  is  congruent  to  b 
in  S,  i.e.,  a  zz  /(ui, . . . , Ui,),  b  =  f(bi,...,bii),  and 
S(ai)  =  S(bi)  for  1  <  i  <  n.  A  set  of  equalities  5  is 
said  to  be  congruence- closed  when  for  any  terms  a  and 
b  in  dom{S)  such  that  a  ~  6,  we  have  S{a)  =  S{b). 

5 [a]  replaces  a  subterm  b  in  a  by  S{b),  where  b  £ 
solvables{a) . 

5[/(ai,...,a„)]  =  f{S[ai],...,S[an]), 

if  /  is  interpreted 
5[a]  =  S{a),  otherwise. 

norm{S){a)  is  a  normal  form  for  a  with  respect  to  S 
and  is  defined  as  cr(S'[a]).  The  operation  norm  does  not 
appear  in  Shostak’s  algorithm  and  is  the  key  element 
of  our  algorithm  and  its  proof.  With  S  fixed,  we  use  a 
as  a  syntactic  abbreviation  for  norm{S){a). 

norm[S){a)  =  (j(S[a]). 

Lemma  3.8  If  solve{a  =  b)  =  S  ±,  then 
norm{S){a)  =  norm{S){b). 

Proof.  By  definitions  3.3  and  3.4(2),  for  any  cr- 
model  M  and  assignment  p' ,  we  have  M,p'  |=  S 
M,p'  1=  a  =  6.  Let  a'  =  5[a]  and  b'  =  S[6].  By  induc¬ 
tion  on  a,  M,p'  \=  a  =  a' ,  and  similarly  M,  p'  \=.b  =  b' . 


Hence,  M,  p'  \=  a'  =  b' .  Then,  since  M  is  a  cr-model,  by 
Definition  3.2,  it  must  be  the  case  that  <7(0')  =  o{b'), 
and  therefore  norm{S){a)  =  norm{S){b).  m 

The  definition  of  the  lookup  operation  uses  Hilbert’s 
epsilon  operator,  indicated  by  the  keyword  when,  to 
return  5(/(6i, . . . ,  6„))  when  61,...,  satisfying  the 
listed  conditions  can  be  found.  If  no  such  61,..., 
can  be  found,  then  lookup{S){a)  returns  a  itself.  We 
show  later  that  the  lookup  operation  is  used  only  when 
the  results  of  this  choice  are  deterministic. 


lookup  {S){f  {a  i,...,a„)) 

=  Sifibu. 

•  ■  5  ^n))^ 

when  bi , 

. . . ,  671  : 

f{bu..., 

bn)  E  dom(S)^ 

and  Oi  = 

S(bi), 

for  1  <  f 

<  n 

lookup{S){a) 

=  a,  otherwise. 

can(S)(a)  is  a  canonical  form  in  which  any  uninter¬ 
preted  subterm  e  that  is  congruent  to  a  known  left- 
hand  side  e'  in  S  is  replaced  by  S(e').  It  is  analogous 
to  the  canon  operation  in  Shostak’s  algorithm.  We  use 
a  as  a  syntactic  abbreviation  for  can(S)(a). 

can(S)(f(ai,...,a„))  =  lookup{S){f{aJ,  ■  •  ■ 

if  /  is  uninterpreted 

can{S){f{ai,...,a„))  =  a(/(ar,  •  •  • ,  o^f)), 

if  /  is  interpreted 
can{S){a)  =  S{a),  otherwise. 

Lemma  3.9  (cr-norm)  If  S  is  functional,  then 
norm{S){a{a))  =  d  and  can{S){a{a))  =  a. 

Proof.  We  know  that  h  cr(a)  =  a.  Then  for  b'  = 
S'[i7(a)]  and  b  =  5[a],  the  equality  b'  —  b  is  valid  in 
every  cr-model.  Then  by  Definition  3.2,  cr(5[cr(a)])  = 
cr(5[a]),  and  hence  the  first  part  of  the  theorem. 

The  rea_soning  in  the  second  part  is  similar.  If  we  let 
R  =  {b  =  b\b  £  [o]},  then  can{S){a)  =  norm[R){a). 
We  can  therefore  use  the  first  part  of  the  theorem  to 
establish  the  second  part.  ■ 

We  next  introduce  a  composition  operation  for 
merging  the  results  of  a  solve  operation  into  an  existing 
solution  set.  When  RoS  is  used,  S  must  be  functional, 
and  the  result  contains  a  —  b  iov  each  equality  a  =  b 
in  R  in  addition  to  the  equalities  in  S. 

RoS  =  {a  =  b  \  a  =  b  £  R}  U  S. 

The  following  lemmas  about  composition  are  given 
without  proof. 

Lemma  3.10  (norm  decomposition)  If  R  U  S  is 

functional,  then 

norm{R  o  S){a)  =  norm{S)[norm{R){a)). 
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process{{a  —  b,  T}) 
process{%) 


=  assert{a  =  b,process{T)) 

=  0. 


assert{a  =  6,  J_) 
assert{a  =  6,5) 

expand{S,  a,  b) 
nev){S,  a,  6) 


=  _L 

=  cc{mergc{a,  b,  S'^)),  where, 
S'^  =  expand{S ,a,  b). 

=  5U{e  =  e|e6  new{S,  a,  6)}. 

=  |[a  =  6]  —  dom{S). 


merge{a,b,S)  =  J-,if  so/j;c(a  =  6)  =  ± 
merge{a,b,S)  =  S  o  solve{a  —  b),  otherwise. 


cc(±)  =  1 

cc{S)  =  cc{merge{S{a),  S{b),  S)), 
when  a,b  : 
a,b  £  dom{S) 

a  ~  b,  and  5(a)  ^  5(6) 
cc(5)  =  5,  otherwise. 


Figure  1;  Main  Procedure:  process 


Lemma  3.11  (associativity  of  composition)  If 

Q  U  i?.  U  5  is  functional,  then 

{QoR)oS  =  Qo{RoS). 

Lemma  3.12  (monotonicity)  If  RuS  is  functional, 
then  if  R{a)  =  R{b),  then  {RoS){a)  =  (RoS){b),  for 
any  a,  and  6. 


4  An  Algorithm  for  Deciding  Equality 
in  the  Presence  of  Theories 

We  next  present  an  algorithm  for  deciding  T  c  = 
d  for  terms  containing  uninterpreted  function  sym¬ 
bols  and  function  symbols  interpreted  in  a  canoniz- 
able  and  solvable  theory.  The  algorithm  for  verify¬ 
ing  T  \-  c  =  d  checks  that  can{S){c)  =  can{S){d), 
where  5  =  process{T).  The  process  procedure  shown 
in  Figure  1,  is  written  as  a  functional  program.  It  is 
a  mathematical  description  of  the  algorithm  and  not 
an  optimized  implementation.  The  state  of  the  algo¬ 
rithm  consists  of  a  set  of  equalities  5  which  holds  the 
solution  set.  We  demonstrate  as  an  invariant  that  5  is 
functional.  Two  terms  a  and  6  in  dom{S)  are  in  the 
same  equivalence  class  according  to  5  if  5(a)  =  5(6). 

The  operation  process{T)  returns  a  final  solution 
set  by  starting  with  an  empty  solution  set  and  suc¬ 


cessively  processing  each  equality  a  =  6  in  T  by  in¬ 
voking  assert{a  =  6,5),  w'here  5  is  the  state  as  re¬ 
turned  by  the  recursive  call  of  process.  The  invocation 
of  assert  {a  =  6.  5)  is  executed  by  first  reducing  a  and 
6  to  their  respective  canonical  forms  a  and  6.  Next, 
5  is  expanded  to  include  e  =  e  for  each  subterm  e 
of  o  =  6  where  c  ^  dom{S).  This  preprocessing  step 
ensures  that  5  contains  entries  corresponding  to  any 
terms  that  might  be  needed  in  the  congruence  closure 
phase  in  the  operation  cc.-  The  merge  operation  then 
solves  the  equality  a  =  6  to  get  a  solution^  S',  and 
returns  S  o  S'  as  the  new  value  for  the  state  5.  As 
we  wall  show,  this  now  value  affirms  a  =  6,  but  it  is 
not  congruence-closed  and  hence  does  not  contain  all 
the  consequences  of  the  assertion  a  =  b.  The  step 
cc(5)  computes  the  congruence  closure  of  5  by  repeat¬ 
edly  picking  a  pair  of  congruent  terms  a  and  6  from 
dom{S)  such  that  5(a)  ^  5(6)  and  merging  them  us¬ 
ing  mergers  {a),  S{b),  S).  Eventually  either  a  contra¬ 
diction  is  found  or  all  congruent  left-hand  sides  in  5 
are  merged  and  the  cc  operation  terminates  returning 
a  congruence-closed  solution  set. 

The  above  algorithm  fixes  the  nontermination  and 
incompleteness  problems  in  Shostak’s  algorithm  by  in¬ 
troducing  the  norm  operation  and  the  composition  op¬ 
erator  R  o  S  to  fold  in  a  solution.  The  norm  opera¬ 
tion  ensures  that  no  new  uninterpreted  terms  are  in¬ 
troduced  during  congruence  closure  in  the  function  cc, 
as  is  needed  to  guarantee  termination.  The  composi¬ 
tion  operator  Ro  S  ensures  that  any  newly  genc'rated 
solution  5  is  immediately  substituted  into  R  and  the 
algorithm  never  attemi)ts  to  find  a  solution  for  an  al¬ 
ready  solved  non-interpreted  term. 

We  first  illustrate  the  algorithm  on  some  examples. 
The  first  example  contains  no  interpreted  symbols. 

Example  4.1  Consider  the  goal  /®(.t)  =  x,p{x)  = 
X  b  /(.r)  =  X.  The  value  of  5  after  the  base  case  is 
0.  After  the  preprocessing  of  f^{x)  =  x  in  assert,  5 
is  {.T  =  x,f(x)  =  f{x),f-{x)  =  p{x),p{x)  =  p{x)}. 
After  merging  f^{x)  and  x,  5  is  {x  —  x,f{x)  = 
f{x),f-{.T)  =  f{x),fix)  =  x}.  When  f{x)  =  x 
is  preprocessed  in  assert,  can{S){f‘''  {x))  yields  f~{x) 
since  5(/^(.t))  =  x,  and  5  is  left  unchanged.  When 
f  ~{x)  and  X  have  been  merged,  5  is  {.r  =  x,f{x)  — 
f{x),f-{x)  =  x,p{x)  =  x}.  Now  f{x)  ~  p{x) 
and  hence  /(.;:)  and  x  are  merged  so  that  5  is  now' 
{:r  =  .r,  /(.r)  =  .r,  f-{x)  =  x,  p{x)  =  x}. 

“.Actually,  the  iiitcrprotcd  subterms  of  n  =  6  need  not  all  be 
inchidefl  in  domf.S).  Oidy  those  that  are  immediate  subterms  of 
uninterpreted  snbterms  in  n  =  ti  are  needed. 

hAny  variables  occurring  in  solne{n  ~  b)  and  not  in  vars{n  — 
b)  must  be  fresh,  i.e.,  they  must  not  occur  in  the  original  con¬ 
jecture  or  l)e  generated  by  any  other  invocation  of  solve. 
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The  conclusion  f{x)  =  x  easily  follows  since 
can{S){f  (x))  =  X  =  can{S){x). 

Example  4.2  Consider  y  +  1  =  x,  f{y)  +  I  =  y  — 
1,  /(a;  —  1)  —  l  =  a;  +  ll-  false  which  is  a  permutation 
of  our  earlier  example.  Starting  with  5  =  0  in  the 
base  case,  the  preprocessing  of  f{x  —  1)  —  l  =  x  +  l 
causes  the  equation  to  be  placed  into  canonical  form 
as  —1  +  /(—I  +  x)  =  1  +  X  and  S  is  set  to 

{  1  =  1,  — 1  =  — 1,  X  =  X,  — 1  +  X  =  — 1  +  X, 

/(-I  +  x)  =  /(-I  +  x),  1  +  X  =  1  +  x}. 

Solving  -l  +  /(-H-x)  =  1+x  yields  /(-1+x)  =  2+x, 
and  S  is  set  to 

{  1  =  1,  — 1  =  — 1,  X  =  X,  — 1  +  X  =  — 1  +  X, 

/(-I  +  x)  =  2  +  X,  1  +  X  =  1  +  x}. 

No  unmerged  congruences  are  detected.  Next,  f{y)  + 
1  =  y  —  1  is  asserted.  Its  canonical  form  is  1  +  f{y)  = 
—  1  +  y,  and  once  this  equality  is  asserted,  the  value  of 
S  is 

{  1  =  1, -1  = -1,  X  =  X, -1  +  X  = -1  +  X, 

/(-I  +  x)  =  2  +  x,l  +  x  =  l  +  x,y  =  y, 

/(y)  =  -2  +  y,  -1  +  y  =  -1  +  y, 

1  +  f{y)  =  -1  +  2/}- 

Next  y  +  1  =  X  is  processed.  Its  canonical  form  is 
1  +  y  =  X  and  the  equality  l  +  y  =  l  +  yis  added  to  S. 
Solving  y  +  1  =  X  yields  x  =  1  +  y,  and  5  is  reset  to 

{  1  =  1, -1  = -l,x  =  1  +  y,-l  +  X  =  y, 

/(-I  +  x)=3  +  y,l  +  x  =  2  +  y,y=:y, 

/(y)  =  -2  +  y,  -1  +  y  =  -1  +  y, 

1  +  f{y)  =  -1  +  2/,  1  +  2/  =  1  +  2/}- 

The  congruence  close  operation  cc  detects  the  congru- 
ence  /(I  —  y)  ~  /(x)  and  invokes  merge  on  3  +  y  and 
— 2  +  y.  Solving  this  equality  3  +  y  =  — 2  +  y  yields  T 
returning  the  desired  contradiction. 

5  Analysis 

We  describe  the  proofs  of  termination,  soundness, 
and  completeness,  and  also  present  a  complexity  anal¬ 
ysis. 

Key  Invariants.  The  merge  operation  is  clearly  the 
workhorse  of  the  procedure  since  it  is  invoked  from 
within  both  assert  and  cc.  Let  U{X)  represent  the  set 
{o  €  X  I  a  uninterpreted}  of  uninterpreted  terms  in 
the  set  X.  Let  A  be  solvables{a),  B  be  solvahles{b), 


and  S'  =  merge{a,  6,5),  then  assuming  U{A  Li  B)  C 
dom{S)  and  for  all  c  €  A  U  B,  5(c)  =  c,  the  following 
properties  hold  of  S'  if  they  hold  of  5: 

1.  Functionality. 

2.  Subterm  closure;  5  is  subterm-closed  if  for  any 
a  6  dom{S),  |[a]l  C  dom{S). 

3.  Range  closure;  5  is  range-closed  if  for  any  a  G 
dom{S),  U{solvables{S{a)))  C  dom{S),  and  for 
any  c  G  solvables[S{a)),  S{c)  =  c. 

4.  Norm  closure;  5  is  norm-closed  if  5(a)  = 
norm{S){a)  for  a  in  dom{S).  This  of  course  holds 
trivially  for  uninterpreted  terms  a. 

5.  Idempotence;  5  is  idempotent 

if  5[5(a)]  =  5(a),  norm{S){S{a))  =  S{a),  and 
norm{S){norm{S){a))  =  norm{S){a). 

These  properties  can  be  easily  established  by  in¬ 
spection.  Since  whenever  merge{a,  b,S)  is  invoked  in 
the  algorithm,  the  arguments  do  satisfy  the  conditions 
U{AL)  B)  C  dom{S)  and  for  all  c  G  A  U  jB,  5(c)  =  c, 
it  then  follows  that  these  properties  are  also  preserved 
by  assert  and  cc,  and  therefore  hold  of  process{T).  We 
assume  below  that  these  invariants  hold  of  5  whenever 
the  metavariable  5  is  used  with  or  without  subscripts 
or  superscripts. 

Lemma  5.1  (merge  equivalence)  Let 

A  =  solvahles[a)  and  B  =  solvables{b).  Given  that 
U(Ad  B)  C  dom{S)  and  for  all  c  G  Au  B,  5(c)  =  c, 
if  S'  =  merge{a,  b,  5)  ^  ±,  then 

1.  norm{S'){a)  =  norm{S'){b) . 

2.  U{dom{S'))  =  U[dom{S)). 

Proof.  Let  R  =  solve{a  =  b).  By  definition, 
merge{a,  b,  S)  =  S  o  R.  By  Lemma  3.8,  norm{R){a)  = 
norm{R){b).  Since  5(c)  =  c  for  c  G  A  L)  B, 
norm{S){a)  =  a  and  norm{S){b)  =  b.  Hence,  by  norm 
decomposition,  we  have  norm{S'){a)  =  norm{S'){b). 

By  Definition  3.4,  dom{R)  C  A  Li  B,  hence 
U{dom{S'))  =  U{dom{S)).  m 

Termination.  We  define  #(5)  to  represent  the 
number  of  distinct  equivalence  classes  partitioning 
U{dom{S))  as  given  by  P{S). 

E{S){a)  =  {b£U{dom{S))\Sib)  =  Sia)} 

P{S)  =  {E{S){a)\aeU{dom{S))} 
mS)  =  |E(5)| 
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The  definition  of  cc{S)  terminates  because  the  mea¬ 
sure  #(5)  decreases  with  each  recursive  call.  If 
in  the  definition  of  cc,  merge{S{a),  S{b),  S)  =  X, 
then  clearly  cc  terminates.  Otherwise,  let  S'  — 
merge{S{a),  S{b),  S)  ^  _L,  for  a  and  b  in  dom{S)  such 

that  S{a)  ^  S{b)  and  a  ^  b.  In  this  case  a  and  b  must 
be  uninterpreted  terms  since  for  interpreted  terms  a 
and  6,  if  a  ~  b,  then  S{a)  =  S{b)  by  norm  closure.  By 
merge  equivalence,  norm{S'){S{a))  =  norm{S'){S{b)) 
and  U{dom{S'))  =  U{dom{S)).  By  monotonicity, 
for  any  c  and  d  such  that  5(c)  =  S{d),  we  have 
5'(c)  =  S{d),  and  therefore  #(5')  <  #(5).  However, 
by  norm  closure,  S'{a)  =  S'{b)  so  that  #(5')  <  #(5). 

Soundness.  The  following  lemmas  establish  the 
soundness  of  the  operations  norm  and  can  with  re¬ 
spect  to  5.  Substitution  soundness  and  can  soundness 
are  proved  by  a  straightforward  induction  on  a,  and 
norm  soundness  is  a  simple  consequence  of  substitu¬ 
tion  soundness. 

Lemma  5.2  (substitution  soundness) 

If  vars{a)  C  vars{T  U  5),  then  T,S  a  =  o'  is  deriv¬ 
able,  for  a'  =  5[a]. 

Lemma  5.3  (norm  soundness) 

If  vars{a)  C  vars{T  U  5),  then  T,S  ^  a  =  a  is  deriv¬ 
able. 

Lemma  5.4  (can  soundness) 

If  vars{a)  C  vars{T  U  S),  then  T,S  \-  a  =  a  is  deriv¬ 
able. 

Lemma  5.5  (merge  soundness) 

If  S'  =  merge{a,  b,  S)  ^  T,  then  if  T,S  a  =  b,  and 
T,  S'  \-  c  =  d  with  vars(c  =  d)  C  vars{T  U  5),  then 
T,S  \-  c  =  d.  Otherwise,  merge{a,b,S)  =  T,  and 
T,S\-  L. 

Proof.  If  S'  =  merge{a,  b,  S)  ^  T,  then  let  R  = 
solve{a  =  b).  By  norm  soundness,  S,R  S',  and 
hence  by  cut,  T,S,R\-  c  =  dis  derivable.  By  the  solve 
rule,  T,S  \-  c  =  d  is  derivable. 

If  m,erge{a,  b,  S)  =  T,  then  by  similar  reasoning  us¬ 
ing  the  solve-1  rule,  T,  5  h  false  is  derivable.  ■ 

Lemma  5.6  (cc  soundness)  If  S'  =  cc{S)  T, 
T,S'  V  a  =  b  for  vars{a  =  b)  C  vars{T,S),  then 
T,  S  \-  a  =  b  is  derivable.  Othervrise,  cc{S)  =  T,  and 
S  b  false,  is  derivable. 

Proof.  By  computation  induction  on  the  definition 
of  cc  using  merge  soundness .  m 


Lemma  5.7  (process  soundness) 

If  S  =  process{T i)  ±,  Ti  C  T2,  and  T2,S  b  c  = 
d  for  vars{c  =  d)  C  i;ars(Tg),  then  T2  b  c  =  d  w 
derivable.  Otherwise,  process{Tj)  —  T,  and  Ti  \-  false 
is  derivable. 

Proof.  By  induction  on  the  length  of  Ti.  In  the 
base  case,  5  is  empty  and  the  theorem  follows  triv¬ 
ially.  In  the  induction  step,  with  Ti  —  {a  =  b,Tl}  and 
S'  —  process{T'i),  we  have  the  induction  hypothesis 
that  T2  b  c  =  d  is  derivable  if  T2,  5'  b  c  =  d  is  deriv¬ 
able,  for  any  c,  d  such  that  vars{c  =  d)  C  vars{T2). 
\\n  know  by  can  soundness  that  T2,S'  i-  d  =  a  and 
T2,S'  \-  b  =  b  are  derivable.  When  S’  is  augmented 
with  identities  over  subterms  of  d  and  b  to  get  5'+ ,  we 
have  the  derivability  of  T2,S'  b  5'+.  By  cc  soundness, 
we  then  have  the  derivability  of  T2,5'+  b  c  =  d  from 
that  of  T2,  S  \-  c  =  d.  The  derivability  of  Tg,  5'  b  c  =  d 
then  follows  by  cut  from  that  of  r2,S'+  b  c  =  d,  and 
we  get  the  conclusion  Tg  b  c  =  d  by  the  induction 
hypothesis. 

A  similar  induction  argument  shows  that  when 
process [T])  =  ±,  then  Tg  b  false.  m 

Theorem  5.8  (soundness)  If  S  =  process{T)  ^  T, 
vars{a  =  b)  C  vars(T),  and  d=h,  then  T  \-  a  =  b  is 
derivable.  Otherwise,  process[T)  =  T,  and  T  b  false 
is  derivable. 

Proof.  If  5  =  process {T)  ^  ±,  then  by  can  sound¬ 
ness.  T,  5  b  a  =  d  and  T,  S  b  =  b  are  derivable. 
Hence,  by  transitivity  and  symmetry,  T,S  f-  a  =  b  is 
derivable.  Therefore,  by  process  soundness,  T  a  =  b 
is  derivable. 

If  process{T)  =  T,  then  already  by  process  sound¬ 
ness,  T  b  false.  m 

Completeness.  We  show  that  when  5  =  process{T) 
then  can{S)  is  a  (7-model  satisfying  T.  When  this  is 
the  case,  completeness  follows  from  proof  soundness . 
In  proving  completeness,  we  exploit  the  property  that 
the  output  of  process  is  congruence-closed. 

Lemma  5.9  (confluence) 

If  S  is  congruence-closed  and  {7(|[(j]])  C  dorn{S),  then 
can{S){a)  =  norm{S){a). 

Proof.  The  proof  is  by  induction  on  a.  In  the 
base  case,  when  a  is  a  variable,  ean{S){a.)  =  S{a)  = 
norm{S){a). 

If  a  is  uninterpreted  and  of  the  form  f{n\, . . .  ,a.„), 
then  can{S){a)  =  lookup {S) {f  {Wi , . . .  ,dff)).  Since  5  is 
subterm- closed,  by  the  induction  hypothesis  and  norm 
closure,  we  have  dj  =  d,  =  5(fl;)  for  0  <  z  <  n.  Then 
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there  must  be  some  b  of  the  form  f{bi, . . .  ,bn)  such 
that  S{bi)  =  S{ai),  for  0  <  f  <  n,  since  a  itself  is  such 
a  b.  Then  by  congruence  closure  and  norm  closure^ 
a  =  S{b)  =  5(a)  =  a,  since  o  ~  6. 

If  a  is  interpreted,  by  the  induction  hypothe¬ 
sis  and  subterm  closure,  a  =  a'{f{ai,...,a^))  = 
(T(/(a''i, d.  ■ 

Lemma  5.10  (can  composition)  If  S'  —  S  o  R  and 

S'  is  congruence-closed,  then  can{S'){can{S){a))  = 
can{S'){a). 

Proof.  By  induction  on  a.  When  a 

is  a  variable.  can{S){a)  =  S{a).  If  a  ^ 

dom{S),  then  5(a)  =  a,  and  hence  the  conclu¬ 
sion.  Otherwise,  by  range-closure,  f/(f5(a)1)  C 
dom{S)  C  dom{S').  Then,  by  confluence,  norm 
decomposition,  and  idempotence,  can{S'){S{a))  = 

norm{S'){S{a))  =  norm{R){norm{S){S{a)))  = 
norm{R){norm{S){a))  =  norm{S'){a)  =  can{S'){a). 

In  the  induction  step,  let  a  =  /(ai, . . .  ,a„).  If  a  is 
uninterpreted,  then  if 

_  _  g 

/(ai,...,a„)  ~  f{bi,...,b„) 

for  some  /(6i,...,d„)  €  dom{S),  then  a  = 

S(f(bi, . . .  ,b„)).  The  reasoning  used  in  the  base 
case  can  then  be  repeated  to  derive  the  conclusion. 
Otherwise,  o  =  /(of, . . .  ,d^)  and  by  the  induction 
hypothesis  and  the  definition  of  can,  can(S')(a)  = 
lookup{S'){f{can{S'){ai), . . . ,  can{S'){a„)))  = 

can{S'){a). 

When  a  is  interpreted,  by  the  induction  hypothesis 
and  the  a-norm  lemma, 

can{S'){a) 

=  can(5')(f7(/(a7,  ...,aT))) 

=  a{f{can{S'){aJ),...,can{S'){a:^))) 

=  can{S'){a). 

■ 

Lemma  can  composition  with  0  for  R  yields  the 
idempotence  of  can{S)  for  congruence-closed  5  so  that 
we  can  define  a  a-model  Ms  in  terms  of  can{S).  The 
domain  D  of  Ms  consists  of  {a|can(5)(a)  =  a).  The 
mapping  of  functions  is  such  that  Ms{f){a.i, . . .,  an)  = 
lookup {S){f{a.x,  ■ . .  ,an)),  if  /  is  uninterpreted.  If  /  is 
interpreted  Ms{f){ai, . . .  =  cr(/(ai, . . .  ,a„)).  If 

p[x]  =  p(x)  and  p[f{ai , . . . ,  a„)]  =  fip[ai], ...,  />[a„]), 
then  by  the  idempotence  of  can{S),  M5|o](,  is  just 
can{S){p[a]).  Lemma  a-norm  can  then  be  used  to  show 
Ms  [=  cr(a)  =  a.  Ms  is  therefore  a  a-model.  Corre¬ 
spondingly,  for  a  given  set  of  variables  X,  pg  is  defined 
so  that  Pg  (x)  =  can(S)(x)  for  x  E  X. 


Lemma  5.11  (can  a-model)  If  S  —  process{T)  yf 
±  and  X  =  vars{T),  then  Ms,Ps  1=  a  =  6  for  any 
a  =  bET. 

Proof.  Showing  that  Ms,Ps  \=  a  =  b  is  the 
same  as  showing  that  can{S){a)  =  can{S){b).  The 
proof  is  by  induction  on  T.  In  the  base  case,  T 
is  empty.  In  the  induction  step,  T  =  {a  =  b,T'} 
with  X'  =  vars{T').  Let  S'  =  process{T').  By 
the  induction  hypothesis,  Ms',Psi  |=  T'.  With 
5'+  =  expand {S,  a' ,b')  for  o'  =  can{S'){a)  and  b'  = 
can{S'){b),  let  So  =  merge{a,b,  S''^),  hence  by  merge 
equivalence,  norm{So)ia')  =  norm{So){b').  By  asso¬ 
ciativity  of  composition,  it  can  be  shown  that  there 
is  an  R  such  that  S  =  So  o  R  and  an  R'  such  that 
5  =  5''*‘  o  R'.  Hence  by  monotonicity,  norm{S){a')  = 
norm{S){b').  Since  5  is  congruence-closed,  by  con¬ 
fluence,  can{S){a')  =  norm{S){a')  and  can{S){b')  = 
norm{S){b').  Hence,  can{S){a')  =  can{S){b'). 

It  can  also  be  shown  that  can{S''^){a)  =  can{S')(a), 
and  similarly  for  b.  Therefore,  by  can  composition,  we 
have  can{S){a)  =  can{S){b),  and  hence  Ms,Ps  |=  a  = 
b.  A  similar  argument  shows  that  for  c  =  d  £  T',  since 
can{S'){c)  =  can{S'){d),  we  also  have  can{S){c)  = 
can{S){d).  m 

When  T  h  false  is  derivable,  we  know  by  proof 
soundness  that  there  is  no  tr-model  satisfying  T  and 
hence  by  the  can  a-model  lemma,  process{T)  must  be 
T. 

Theorem  5.12  (completeness) 

If  S  =  process{T)  ^  T  and  T  \-  a  =  b,  then 
can{S){a)  =  can{S){b). 

Proof.  Since  Ms,Ps  |=  T  by  can  a-model  for  X  = 
vars{T),  we  have  hy  proof  soundness  that  can{S){a)  = 
can{S){b).  m 

Complexity.  We  have  already  seen  in  the  termina¬ 
tion  argument  that  the  number  of  iterations  of  cc  in 
process  is  bounded  by  the  number  of  distinct  equiv¬ 
alence  classes  of  terms  in  dom{S)  which  is  no  more 
than  the  number  of  distinct  uninterpreted  terms.  We 
will  assume  that  the  solve  operation  is  performed  by 
an  oracle  and  that  there  is  some  fixed  bound  on  the 
size  of  the  solution  set  returned  by  it.  In  the  case  of 
linear  arithmetic,  the  solution  set  has  at  most  one  el¬ 
ement.  Let  n  represent  the  number  of  distinct  terms 
appearing  in  T  which  is  also  a  bound  on  |5|  and  on 
the  size  of  the  largest  term  appearing  in  5.  The  com¬ 
position  operation  can  be  implemented  in  linear  time. 
Thus  the  entire  algorithm  has  O(n^)  steps  assuming 
that  the  cr  and  solve  operations  are  length-preserving 
and  ignoring  the  time  spent  inside  solve. 
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6  Conclusions 

Shostak’s  decision  procedure  for  equality  in  the 
presence  of  interpreted  and  uninterpreted  functions 
is  seriously  flawed.  It  is  both  incomplete  and  non- 
terminating,  and  hence  not  a  decision  procedure.  All 
subsequent  variants  of  Shostak’s  algorithm  have  been 
similarly  flawed.  This  is  unfortunate  because  decision 
procedures  based  on  Shostak’s  algorithm  are  at  the 
core  of  a  number  of  widely  used  verification  systems. 
We  have  presented  a  correct  algorithm  that  captures 
Shostak’s  key  insights,  and  described  proofs  of  termi¬ 
nation,  soundness,  and  completeness. 

Acknowledgments:  We  are  especially  grateful  to 
Clark  Barrett  for  instigating  this  work  and  correct¬ 
ing  several  significant  errors  in  earlier  drafts,  and  to 
Jean-Christophe  Filliatre  for  his  oCaml  implementa¬ 
tion  which  yielded  useful  feedback  on  the  algorithm 
studied  here.  The  presentation  has  been  substantially 
improved  thanks  to  the  suggestions  of  the  anonymous 
referees  and  those  of  Nikolaj  Bjorner,  David  Cyrluk, 
Bruno  Dutertre,  Ravi  Hosabettu,  Pat  Lincoln,  Ursula 
Martin,  David  McAllester,  Sam  Owrc,  John  Rushby, 
and  Ashish  Tiwari. 


References 

[BDL96]  Clark  Barrett,  David  Dill,  and  Jeremy  Levitt. 

Validity  checking  for  combinations  of  theo¬ 
ries  with  equality.  In  Mandayam  Srivas  and 
Albert  Camilleri,  editors,  Formal  Methods  in 
Computer-Aided  Design  (FMCAD  ’96),  volume 
1166  of  Lecture  Notes  in  Computer  Science, 
pages  187-201,  Palo  Alto,  CA,  November  1996. 
Springer- Verlag. 

[Bj099]  Nikolaj  Bjorner.  Integrating  Decision  Proce¬ 
dures  for  Temporal  Verification.  PhD  the.sis, 
Stanford  University,  1999. 

[BRRT99]  L.  Bachmair,  C.  R.  Ramakrishnan,  I.V.  Ra- 
makrishnan,  and  A.  Tiwari.  Normalization  via 
rewrite  closures.  In  International  Conference 
on  Rewriting  Techniques  and  Applications,  RTA 
‘09,  Berlin,  1999.  Springer- Verlag. 

[BS96]  F.  Baader  and  K.  Schulz.  Unifieation  in  the 
union  of  disjoint  equational  theories:  Combin¬ 
ing  decision  procedures.  J.  Symbolic  Computa¬ 
tion,  21:211-243,  1996. 

[CLS96]  David  Cyrluk,  Patrick  Lincoln,  and  N.  Shankar. 

On  Shostak’s  decision  procedure  for  combina¬ 
tions  of  theories.  In  M.  A.  McRobbie  and  J.  K. 
Slaney,  editors.  Automated  Deduction — CADE- 
13,  volume  1104  of  Lecture  Notes  in  Artificial 


Intelligence,  pages  463-477,  New  Brunswick, 
N.I,  July/.4ugust  1996.  Springer- Verlag. 

[DST80]  P.J.  Downe\',  R.  Sethi,  and  R.E.  Tarjan.  Vari¬ 
ations  on  the  common  subexpressions  problem. 
Journal  of  the  ACM,  27(4):758-771,  1980. 

[EHD93]  Computer  Science  Laboratory,  SRI  Interna¬ 
tional,  Menlo  Park,  CA.  User  Guide  for  the 
Eiidm  Specification  Language  and  Verification 
System,  Version  6.1,  February  1993.  Three  vol¬ 
umes. 

[FORSOl]  J-C.  Filliatre,  S.  Owrc,  H.  Ruefi,  and 
N.  Shankar.  ICS:  Integrated  canonizer  and 
solver.  In  CAV  01:  Computer-Aided  Verifica¬ 
tion.  Springcr-V’erlag,  2001.  To  appear. 

[Kap97]  Deepak  Kapur.  Shostak’s  congruence  closure  as 
completion.  In  H.  Comon,  editor.  International 
Conference  on  Rewriting  Techniques  and  Appli¬ 
cations,  RTA  ‘07,  number  1232  in  Lecture  Notes 
in  Computer  Science,  pages  23  -37,  Berlin,  1997. 
Springer- Verlag. 

[MT90]  Zohar  Manna  and  The  STeP  Groiip.  STeP: 

Deductive-algorithmic  verification  of  reactive 
and  real-time  systems.  In  Rajeev  Alur  and 
Thomas  A.  Henzingcr,  editors,  Computer-Aided 
Verification,  CAV  ’96,  volume  1102  of  Lec¬ 
ture  Notes  in  Computer  Science,  pages  415- 
418,  New  Brunswick,  NJ,  July/August  1996. 
S])ringcr-\’erlag. 

[N079]  G.  Nelson  and  D.  C.  Oppen.  Simplification  by 
cooperating  decision  procedures.  ACM  Trans¬ 
actions  on  Programming  Languages  and  Sys¬ 
tems,  l(2);245-257,  1979. 

[NO80]  G.  Nelson  and  D.  C.  Oppen.  Fast  decision  pro¬ 
cedures  based  on  congruence  closure.  Journal 
of  the  ACM,  27(2):356  364,  1980. 

[ORS92]  S.  Owre,  J.  M.  Rushby,  and  N.  Shankar.  PVS: 

A  prototype  verification  system.  In  Deepak  Ka¬ 
pur,  editor,  11th  International  Conference  on 
Automated  Deduction  (CADE),  volume  607  of 
Lecture  Notes  in  Artificial  Intelligence,  pages 
748-752,  Saratoga,  NY,  June  1992.  Springer- 
Wrlag. 

[Sho78]  Robert  E.  Shostak.  An  algorithm  for  reasoning 
about  equality.  Communications  of  the  ACM, 
21(7):583  585,  July  1978. 

[Sho84]  Robert  E.  Shostak.  Deciding  combinations  of 
theories.  Journal  of  the  ACM,  31(1):TT2,  Jan¬ 
uary  1984. 

[SSMS82]  R.  E.  Shostak,  R.  Schwartz,  and  P.  M.  Melliar- 
Smith.  STP:  .4  mechanized  logic  for  specifica¬ 
tion  and  verification.  In  D.  Loveland,  editor, 
6th  International  Conference  on  Automated  De¬ 
duction  (CADE),  volume  138  of  Lecture  Notes 
in  Computer  Science,  New  York,  NY,  1982. 
Springer- Verlag. 


28 


A  Decision  Procedure  for  an  Extensional  Theory  of  Arrays 


Aaron  Stump,  Clark  W.  Barrett,  and  David  L.  Dill 
Computer  Systems  Laboratory 
Stanford  University,  Stanford,  CA  94305,  USA 
E-mail:  {stump,dill,barrett}  @cs.stanford.edu 


Jeremy  Levitt 

0-In  Design  Automation,  Inc. 
San  Jose,  CA  95110,  USA 
Email:  levitt@0-ln.com 


Abstract 

A  decision  procedure  for  a  theory  of  arrays  is  of  inter¬ 
est  for  applications  informal  verification,  program  analy¬ 
sis,  and  automated  theorem-proving.  This  paper  presents  a 
decision  procedure  for  an  extensional  theory  of  arrays  and 
proves  it  correct. 

1.  Introduction 

A  decision  procedure  for  a  theory  of  arrays  is  of  interest 
for  applications  in  formal  verification  and  program  analy¬ 
sis.  Such  a  procedure  is  also  of  value  for  theorem-provers. 
The  PVS  theorem-prover  [11]  has  an  undocumented  deci¬ 
sion  procedure  for  a  theory  of  arrays  [12],  and  HOL  has 
some  automatic  support  for  a  theory  of  arrays  via  a  library 
for  finite  partial  functions  [3]. 

Two  kinds  of  array  theories  have  been  studied  previously. 
Extensional  theories  require  that  if  two  arrays  store  the  same 
value  at  index  i,  for  each  index  i,  then  the  arrays  must  be 
the  same.  Non-extensional  theories  do  not  make  this  re¬ 
quirement.  This  paper  is  the  first  to  present  a  procedure  for 
checking  satisfiability  of  arbitrary  quantifier-free  formulas 
in  an  extensional  theory  of  arrays  and  prove  its  correctness. 

2.  Theories  of  arrays 

Decision  procedures  for  various  theories  of  arrays  have 
been  studied  previously.  Most  of  these  theories  can  be  di¬ 
vided  into  extensional  and  non-extensional  varieties.  In  this 
section,  several  families  of  array  theories  are  axiomatized 
in  classical  first-order  multi-sorted  logic  with  equality.  The 
theory  Arr  decided  in  this  paper  is  then  presented  and  com¬ 
pared  to  previously  decided  theories. 

2.1.  The  language 

Sorts  The  language  has  a  basic  sort  /  for  indices  into 
arrays.  It  also  has  value  sorts,  which  are  the  sorts  of  indi¬ 


viduals  that  may  be  stored  in  arrays.  The  sort  V  is  the  sort 
for  primitive  values  stored  in  arrays.  The  set  of  value  sorts 
is  defined  to  be  the  least  set  X  satisfying 

•  y  e  A 

•  T  e  X  S  array 6  X 

Every  value  sort  except  V  is  an  array  sort.  The  value  sorts 
together  with  I  are  all  the  sorts  of  the  language.  V  and  I 
need  not  be  distinct. 

Definition  1  (dimensionality  of  a  value  sort)  The  dimen¬ 
sion  dinfir)  of  a  value  sort  t  is  defined  by 

•  dim{V)  =  0 

•  dim{array\)  =  dim{T)  -I-  1 

Terms  The  language  has  countably  infinitely  many 
variables  and  constants,  with  countably  infinitely  many  of 
each  distinct  sort.  The  constants  are  uninterpreted,  in  the 
sense  they  will  not  occur  in  any  axiom  or  axiom  scheme. 
The  function  symbols  of  the  language  are 

•  readr  of  type  {arrays  I  t),  for  every  value  sort 

T 

•  writer  of  type  {array r  I  ^  t  ^  array.,.),  for  every 
value  sort  r 

Subscripts  on  read  and  write  will  generally  be  omitted.  In¬ 
formally,  read{a,  i)  will  denote  the  value  stored  in  array  a  at 
index  i,  and  write{a,  i,  v)  will  denote  an  array  which  stores 
the  same  value  as  a  for  every  index  except  possibly  i,  where 
it  stores  value  v. 

Terms  are  built  up  in  the  usual  way  from  constants  and 
variables  using  the  function  symbols.  Terms  whose  sort  is 
an  array  sort  will  be  called  array  terms.  Terms  whose  sort 
is  I  will  be  called  index  terms.  The  dimension  dim{a)  of 
an  array  term  a  is  the  dimension  of  its  sort.  If  dim{a)  =  n, 
array  a  is  said  to  be  n-dimensional.  If  n  >  1,  a  is  also  said 
to  be  multi-dimensional. 
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Formulas  The  atomic  formulas  of  the  language  are  the 
equations  between  terms  of  the  same  sort.  Formulas  are 
built  up  from  atomic  formulas  using  propositional  connec¬ 
tives  and  quantifiers  in  the  usual  way.  A  formula  is  closed  if 
it  has  no  free  variables.  A  literal  is  an  atomic  formula  or  the 
negation  of  an  atomic  formula.  A  theory  is  a  set  of  closed 
formulas. 

2.2.  Theories 

Some  theories  restrict  which  array  sorts  are  allowed.  If  a 
theory  allows  array  sorts  of  dimension  at  most  n,  it  is  said  to 
have  just  n-dimensional  arrays.  If  a  theory  allows  all  array 
sorts,  it  is  said  to  have  multi-dimensional  arrays. 

The  following  scheme,  which  is  schematic  in  a  value 
sort  T,  is  called  the  read-over-write  axiom  scheme.  Infor¬ 
mally,  it  says  that  for  all  arrays  a,  indices  i  and  j,  and  val¬ 
ues  V  of  suitable  type,  reading  the  value  stored  at  index  j  of 
write{a,  i,  v)  is  v  if  the  two  indices  are  equal  and  read{a,j) 
if  they  are  different. 

Axiom  scheme  1  (read-over-write) 

V  a  :  arrays  ■  I  .'i  j  :  I  .'i  v  -.V  . 

{i  =■  j  read{write{a,  i,  v),j)  =  v)  A 
{i  ^  j  read{write{a,i,v),j)  =  read{a,j)) 

The  following  scheme,  which  is  schematic  in  a  value  sort 
r,  is  called  the  extensionality  axiom  scheme.  Informally, 
it  expresses  a  principle  of  extensionality  for  arrays:  if  two 
arrays  store  the  same  value  at  index  i,  for  each  index  i,  they 
are  equal. 

Axiom  scheme  2  (extensionality) 

V  a  :  arrays  .  V  6  :  array\  . 

{y  i  :  I .  read{a,  i)  =  read{b,  i))  -t-  a  =  b 

The  extcnsional  theories  are  those  axiomatized  by  the 
read-over-write  and  extensionality  axiom  schemes.  The 
non-extensional  theories  are  those  axiomatized  by  just  tbc 
read-over-writc  axiom  scheme.  Note  that  since  a  theory  is  a 
set  of  closed  formulas,  quantifier-free  array  theories  have  no 
variables;  all  0-ary  symbols  are  (uninterpreted)  constants. 

2.3.  The  theory  Arr 

The  theory  Arr  decided  in  this  paper  is  the  quantifier- 
free  fragment  of  the  extensional  theory  with  multi¬ 
dimensional  arrays  where  sort  V  is  defined  to  be  sort  /.  So 
indices  are  the  values  stored  in  1 -dimensional  arrays. 

The  restriction  to  the  quantifier-free  fragment  is  justi¬ 
fied  by  the  fact  that  the  fully  quantified  theory  is  undecid- 
able,  even  in  the  absence  of  the  function  symbols  writer 


and  the  read-over-write  scheme.  This  is  because  single- 
sorted  first-order  theories  with  function  symbols  and  equal¬ 
ity  may  be  translated  into  this  array  theory  in  such  a  way 
that  a  first-order  formula  is  valid  iff  its  translation  is.  The 
translation  maps  constant  symbols  to  index  constants,  n- 
ary  function  symbols  to  n-dimensional  array  constants, 
and  terms  like  to  nested  read  expressions 

read{. . .  read{read{f'  where 

are  the  translations  of  /,  zi , . . . ,  z„.  The  undecidability  re¬ 
sults  for  classical  first  order  logic  with  just  function  symbols 
and  equality  (see,  e.g.,  [5])  can  then  be  applied  to  show  that 
even  quite  restricted  quantified  fragments  of  the  extensional 
theory  of  arrays  are  undecidable. 

A  decision  procedure  for  Arr  may  be  useful  even  for 
applications  which  require  a  fully  quantified  logic.  Many 
theorem  provers,  such  as  the  widely  used  PVS  [11],  pro¬ 
vide  strategies  to  reduce  goals  to  subgoals  in  decidable  frag¬ 
ments  of  their  logic. 

2.4.  Comparison  with  related  work 

In  this  section,  related  work  is  summarized  by  describing 
which  theories  are  decided.  These  theories  often  use  axiom- 
atizations  different  from  but  equivalent  to  that  of  Arr.  All 
the  theories  decided  are  quantifier-free.  Kaplan  is  the  only 
one  to  distinguish  the  sorts  and  7.  Many  of  the  previous 
theories  allow  arithmetic  operators  or  uninterpreted  func¬ 
tions  over  sort  I  to  be  used  in  addition  to  the  symbols  read 
and  write.  The  restriction  here  to  just  the  essential  theory  of 
arrays  is  justified  by  the  fact  that,  as  will  be  shown  in  Sec¬ 
tion  6  below,  the  satisfiability  procedure  for  Arr  is  suitable 
for  incorporation  into  a  framework  for  cooperating  decision 
procedures  [2].  In  such  a  framework,  separate  decision  pro¬ 
cedures  for  arithmetic  and  uninterpreted  functions  may  be 
combined  with  the  decision  procedure  for  Arr  to  decide  the 
combined  theory. 

The  first  two  works  present  axioms  but  no  decision  pro¬ 
cedure  for  their  theories.  With  the  exception  of  Levitt’s 
work,  the  others  give  decision  procedures  for  theories  that 
are  strictly  weaker  than  Arr,  either  because  they  restrict  the 
form  of  formulas  in  the  theory  (e.g.,  to  just  equations),  dis¬ 
allow  equations  between  arrays,  or  are  non-extensional. 

McCarthy  In  [8],  McCarthy  introduces  the  function 
symbols  read  and  write  and  gives  an  informal  semantics  for 
an  extensional  theory  of  arrays  based  on  them. 

Collins  and  Syme  Collins  and  Syme  present  in  HOL 
a  theory  of  finite  higher-order  partial  functions  similar  to  a 
theory  with  multi-dimensional  arrays  [3]. 

Kaplan  In  [6],  Kaplan  gives  a  decision  procedure  for  a 
non-extensional  equational  theory  with  just  1 -dimensional 
arrays.  He  considers  equations  between  index  terms  only, 
which  is  reasonable  since  his  theory  contains  no  non-trivial 
equations  between  arrays.  He  then  shows  how  to  extend  his 
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procedure  to  decide  an  extensional  equational  theory,  where 
the  equations  may  be  between  array  as  well  as  index  terms. 
He  imposes  the  restriction  that  distinct  variables  of  sort  I 
must  receive  distinct  interpretations. 

Suzuki  and  Jefferson  In  [15],  Suzuki  and  Jeffer¬ 
son  present  a  decision  procedure  for  a  theory  with  just  1- 
dimensional  arrays,  where  equations  between  arrays  are  not 
allowed.  The  theory  has  axioms  for  extensionality  and  the 
existence  of  constant  arrays  (arrays  that  store  the  same  value 
at  all  indices),  but  these  appear  to  be  included  for  technical 
reasons  only;  the  theory  decided  is  equivalent  to  the  one 
without  those  axioms  under  the  restrictions  they  impose. 
They  extend  their  procedure  to  decide  a  theory  with  a  new 
predicate  symbol  PERM,  where  PERM{a,  b)  holds  iff  the 
multiset  of  the  values  stored  in  a  is  contained  in  the  mul¬ 
tiset  of  the  values  stored  in  b.  Sentences  of  the  theory  are 
restricted  to  the  form  P  PERM{a,b),  where  P  is  any 
(quantifier-free)  sentence  not  containing  PERM.  Arr  does 
not  have  the  PERM  predicate,  but  inspection  of  the  way 
Suzuki  and  Jefferson  extend  their  algorithm  to  treat  PERM 
shows  that  it  could  just  as  easily  be  used  to  extend  the  algo¬ 
rithm  for  Arr,  as  long  as  their  restriction  disallowing  equa¬ 
tions  between  array  terms  were  retained. 

Downey  and  Sethi  In  [4],  Downey  and  Sethi  present 
a  decision  procedure  for  an  extensional  equational  theory 
with  just  1-dimensional  arrays.  Equations  between  array 
terms  are  allowed.  They  prove  that  determining  the  invalid¬ 
ity  of  an  equation  in  their  theory  of  arrays  is  NP-compIete. 

Nelson  and  Oppen  In  [  10],  Nelson  and  Oppen  describe 
an  extensional  theory  of  arrays.  Their  theory  allows  multi¬ 
dimensional  arrays.  They  do  not  present  their  satisfiabil¬ 
ity  procedure  for  the  extensional  theory,  but  in  [9],  Nelson 
gives  a  detailed  presentation  of  a  satisfiability  procedure  for 
a  non-extensional  theory. 

Levitt  In  Chapter  5  of  his  PhD  thesis  [7] ,  Levitt  presents 
a  decision  procedure  for  an  extensional  theory  of  arrays 
based  on  solving  equations  and  canonizing  terms,  in  the 
style  of  Shostak  [13].  A  detailed  proof  of  correctne.ss  is 
not  given,  and  has  proved  elusive  to  the  authors.  In  con¬ 
trast,  a  detailed  proof  of  correctness  is  given  below  for  the 
procedure  for  Arr. 

3.  The  satisfiability  procedure  for  Arr 

Arr  is  decided  by  a  refutation  procedure.  The  procedure 
decides  satisfiability  of  conjunctions  of  literals,  which  are 
equations  and  disequations  between  terms.  Deciding  satis¬ 
fiability  of  arbitrary  boolean  combinations  of  atomic  formu¬ 
las  can  be  reduced  to  this  problem  by  well-known  means. 
A  conjunction  of  literals  whose  satisfiability  is  to  be  tested 
will  be  called  a  goal.  Comma  will  be  used  to  denote  con¬ 
junction.  Two  goals  are  said  to  be  equisatisfiable  when  one 
is  satisfiable  iff  the  other  is. 


3.1.  Informal  overview 

The  procedure  works  in  two  phases.  In  the  first  phase, 
the  original  goal  is  transformed  into  a  set  of  subgoals  such 
that  (i)  no  subgoal  contains  write  and  (ii)  the  original  goal 
is  satisfiable  iff  one  of  the  subgoals  is.  Eliminating  write 
expressions  is  straightforward  except  when  they  occur  as 
the  left  or  right  hand  side  of  an  equation.  How  to  eliminate 
such  occurrences  of  write  expressions  is  the  crucial  insight 
of  this  algorithm. 

Definition  2  (=_) 

a  —I  b  ^def  ■  I  -i  ^  read{a,  i)  =  read{b,  i) 

Formulas  of  the  form  a  =%  b  with  Z  0  are  called  partial 
equations. 

The  crucial  observation  is  that 

write{a,i,v)  =  b  ^  (a  b  A  read{b,i)  =  v). 

write  expressions  occurring  as  sides  of  equations  may  thus 
be  eliminated  by  introducing  partial  equations. 

The  second  phase  of  the  procedure  is  based  on  the  ob¬ 
servation  that  in  the  absence  of  write,  arrays  behave  like 
uninterpreted  functions  and  read  behaves  like  function  ap¬ 
plication.  So  in  the  absence  of  write,  a  congruence  closure 
algorithm  (cf.  [1])  could  be  used  to  decide  the  theory.  The 
algorithm  must  be  modified  to  work  with  partial  equations 
as  well  as  equations,  but  this  can  be  done.  For  simplicity,  the 
very  simple  congruence  closure  algorithm  described  in  [14] 
is  used,  but  it  should  be  possible  to  modify  a  more  complex 
algorithm. 

3.2.  Formal  presentation 

Figure  1  presents  our  procedure  as  a  proof  system.  The 
proof  system  determines  a  non-deterministic  procedure, 
where  rules  are  applied  bottom-up  to  analyze  a  goal  into 
one  or  more  subgoals.  The  system  may  be  thought  of  as 
a  rewrite  system,  where,  for  each  rule,  the  goal  below  the 
line  is  rewritten  to  the  subgoals  above  the  line.  The  sys¬ 
tem  resembles  a  Gentzen-Schiitte  system  where  only  left 
rules  of  the  corresponding  sequent  system  are  used  (i.e.,  a 
sequent  system  where  sequents  are  restricted  to  be  of  the 
form  r  J.).  The  derivable  objects  of  this  system  are  sets 
of  literals.  It  is  intended  that  a  set  of  literals  be  derivable  iff 
their  conjunction  is  unsatisfiable.  A  deduction  of  a  goal  is  a 
tree  obtained  by  applying  the  proof  rules  bottom-up  to  that 
goal.  A  goal  to  which  no  rule  can  be  applied  is  said  to  be 
normal. 
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Phase  1: 


(ext) 


(r-over-w) 


(w-elim) 


r,  read(a,  k)  /  read{b,  k) 

- - ri -  k  is  not  free  in  the  conclusion;  a  and  b  arc  arrays 

r,  a  ^  b 

r[v],i=j  T[read{a,j)],  I  j 
r[read{write{a,  i,  ^t),  j)] 

r,  a  =i  6,  z  G  X  r,  a  —ij  b,  read{b,  i)  =  v,  i  ^  I 
r,  write{a,  i,  v)  =i  b 


(w-elim-helper) 


r,  b^ja 
r,  a-xb 


6  is  a  write  expression,  and  a  is  not 


Phase  2: 


(partial-eq) 


r,  a  =x  b,  read{a,i)  =  read{b,i),  i  F ,  a  =x  b,  i  ^  X 

r,  a  =x  b 

where  a  b\X  0;  read{a.  i)  occurs  in  F 


(trans) 


(subst) 


(symm) 


r,  a  =x  b,  a  =j'  c,  b  =xui’  c 
r,  a  =x  b,  a  =x'  c 


I  0  and  I'  y'  0 


r[y],  X  =  y 

r[a:],  x  =  y 


X  y  y,  X  ^  y,  X  not  in  r[] 


r,  y  3: 
r,  X  =x  y 


X  <y 


Both  phases: 


(e-split) 


F,  i  =  j  r,  z  G  X 

r,  i  e  (i,x) 


(^-expand) 


r,  Z  ^  X,  Z  7^  j 

r,  *  ^  (j,X) 


(e-empty) 


r,  z  G  0 


(ax) 


F,  X  ^  X 


Figure  1.  The  decision  procedure  as  a  proof  system 
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The  system  has  two  phases.  Some  rules  may  be  applied 
in  just  one  phase,  while  others  may  be  applied  in  either 
phase.  The  rules  of  phase  1  are  applied  to  a  goal  until  no 
rule  applies,  and  then  the  rules  of  phase  2  are  applied.  The 
procedure  stops  and  reports  that  the  original  conjunction  is 
satisfiable  if  it  encounters  a  normal  subgoal.  Otherwise,  it 
reports  that  the  original  goal  is  unsatisfiable.  As  mentioned 
before,  phase  2  is  a  modified  congruence  closure  algorithm. 
The  core  congruence  closure  algorithm  consists  of  just  the 
rules  (symm)  and  (subst)  [14]. 

The  set-theoretic  operators  have  their  usual  meanings; 
note  that  i,X  denotes  {i}  U  I,  where  I  does  not  contain 
i.  r[]  denotes  a  context,  which  is  an  expression  contain¬ 
ing  one  or  more  occurrences  of  a  single  free  variable.  The 
expression  obtained  by  substituting  the  term  t  for  the  con¬ 
text’s  free  variable  is  written  r[f].  In  the  rule  (subst),  since 
tbe  side  condition  requires  that  r[]  contain  no  occurrences 
of  the  term  x,  applying  (subst)  replaces  all  occurrences  of  x 
in  rja:]  with  the  term  y.  =  denotes  syntactic  identity.  The 
symbol  ■<  denotes  an  ordering  on  terms  by  size,  which  is 
defined  on  terms  in  the  usual  way.  Let  x  :<y  iff  x  and  y  are 
such  that  the  size  of  x  is  less  than  or  equal  to  the  size  of  y. 
The  variants  -<!  and  y  are  derived  from  ■<  in  the  usual  way. 

3.3.  Avoiding  non-termination  in  phase  2 

In  phase  2,  applications  of  (partial-eq)  and  (trans)  must 
be  restricted  to  avoid  certain  sources  of  non-termination. 
There  is  nothing  preventing  (partial-eq)  and  (trans)  from  be¬ 
ing  applied  repeatedly  with  the  same  partial  equations,  be¬ 
cause  for  both  rules,  the  partial  equations  are  retained  in  the 
goal.  For  (partial-eq),  this  form  of  non-termination  may  be 
prevented  by  adding  a  side  condition  to  the  rule  that  pre¬ 
vents  it  from  being  applied  if,  informally,  read{a,i)  and 
read{b,  i)  are  already  known  to  be  equal  or  if  i  is  already 
known  to  be  equal  to  an  element  of  I.  Formally,  the  proce¬ 
dure  can  test  whether  or  not  t  and  t'  are  already  known  to 
be  equal  by  applying  all  the  rules  of  phase  2  except  (partial- 
eq)  and  (trans)  to  the  current  goal  with  t  ^  t'  added,  and 
seeing  whether  or  not  that  goal  is  reported  unsatisfiable.  If 
neither  (G-split)  nor  (^-expand)  applies  to  the  current  goal, 
then  this  is  equivalent  just  to  comparing  normal  forms  as  de¬ 
termined  by  the  core  congruence  closure  algorithm.  So  in 
an  implementation,  this  non-termination  may  easily  be  pre¬ 
vented.  A  similar  approach  can  be  used  to  prevent  (trans) 
from  being  applied  repeatedly  to  the  same  formulas.  The  re¬ 
quired  machinery,  however,  has  been  omitted  from  the  proof 
system  for  simplicity. 

4.  Correctness  of  the  Procedure 

A  satisfiability  procedure  is  sound  iff  when  it  reports  a 
goal  unsatisfiable,  the  goal  is  indeed  unsatisfiable.  A  pro¬ 


cedure  is  complete  iff  when  it  reports  a  goal  satisfiable,  the 
goal  is  indeed  satisfiable.  A  procedure  is  correct  iff  it  ter¬ 
minates  on  all  inputs,  and  it  is  sound  and  complete.  In  this 
section,  a  detailed  proof  of  completeness  for  the  satisfiabil¬ 
ity  procedure  for  Arr  is  given.  The  proof  of  termination  is 
routine  and  omitted  for  lack  of  space.  The  following  theo¬ 
rem  implies  soundness. 

Theorem  1  (equisatisfiability)  The  conclusion  of  each 
rule  of  the  system  is  satisfiable  iff  one  of  its  premises  is  sat¬ 
isfiable. 

Proof:  The  proof  is  routine.  Consider  just  the  rule  (trans). 
If  a  =x  b  and  a  =x'  c  are  true  in  some  model,  then  it  is 
easy  to  see  by  the  definition  of  =_  that  b  —xut  c  is  also 
true  in  some  model.  If  c  agrees  with  a  at  every  index  except 
those  in  Z'  and  a  agrees  with  b  at  every  index  except  those 
in  Z,  then  clearly  i  ^  lUl'  implies  that  c  agrees  with  a  at 
i  and  also  that  a  agrees  with  b  at  i.  Hence,  c  agrees  with  b 
at  i.  For  the  other  direction,  if  the  premise  has  a  model,  so 
does  the  conclusion,  since  the  conclusion  is  a  subset  of  the 
premise.  □ 

Recall  that  a  normal  goal  is  one  to  which  no  rule  applies. 
By  the  equisatisfiability  theorem,  to  prove  completeness  of 
the  algorithm  it  suffices  to  show  that  any  normal  goal  is 
satisfiable.  This  may  be  done  by  constructing  a  model  for  a 
normal  goal.  The  following  lemma  is  easily  established. 

Lemma  1  (effect  of  phase  1)  A  goal  that  is  normal  with 
respect  to  phase  1  of  the  algorithm  contains  no  write  ex¬ 
pressions  and  no  disequations  between  array  expressions. 

4.1.  A  convenient  form  for  normal  goals 

In  preparation  for  constructing  a  model,  several  trans¬ 
formations,  which  are  not  actually  performed  by  the  algo¬ 
rithm,  are  applied  to  a  normal  goal  to  give  an  equisatisfiable 
normal  goal  T,  which  is  in  a  more  convenient  form.  If  the 
normal  goal  contains  equations  of  the  form  x  =  x,  clearly 
they  may  be  removed  and  the  result  will  be  equisatisfiable. 
Next,  modify  the  goal  by  doing  the  following.  Let  G  be  the 
goal  as  it  currently  stands.  If  there  is  a  term  of  the  form 
read{a,  i)  in  G  that  is  not  the  left  hand  side  of  any  equation 
in  G,  choose  a  constant  symbol  c  not  occurring  in  G,  and 
modify  G  by  replacing  read{a,  i)  everywhere  in  it  with  c 
and  adding  the  equation  read{a,  i)  =  c  to  it.  If  there  is  no 
such  term  read{a,  i)  in  G,  stop.  It  is  easy  to  show  that  the 
resulting  goal  is  normal  and  equisatisfiable  with  the  original 
normal  goal.  This  resulting  goal  consists  of  formulas  of  one 
of  the  following  four  forms,  where  x,  y,  and  ^  are  constant 
symbols: 

1.  read{x,  y)  =  z 
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II. 

III.  X  where  every  element  of  I  is  a  constant  symbol 

IV.  X  =  y 

Since  this  resulting  goal  is  normal,  no  formula  x  =  y  of 
the  form  (IV)  has  its  left  hand  side  appearing  anywhere  else 
in  the  goal,  since  otherwise  (subst)  would  apply.  Let  T  be 
this  resulting  goal,  except  without  the  equations  of  the  form 
(IV).  r  will  be  said  to  be  in  convenient  normal  form.  Any 
model  M  of  r  may  be  extended  to  a  model  of  F  with  those 
equations  of  the  form  (IV)  by  giving  the  same  interpretation 
for  the  constant  x  as  for  the  constant  y,  if  M  interprets  y, 
and  a  single  arbitrary  interpretation  for  both  x  and  y  other¬ 
wise. 

4.2.  Construction  of  a  model 

In  this  section,  a  kind  of  term  model  for  the  goal  F  in 
convenient  normal  form  is  constructed.  Several  definitions, 
in  terms  of  F,  are  required.  The  fact  that  the  core  congru¬ 
ence  closure  algorithm  (rules  (subst)  and  (symm))  is  correct 
is  used  (sec  [14]  for  the  proof). 

Definition  3  (->_  and  -f— _)  Let  — and  be  the  ternary 
relations  defined,  respectively,  by 

a^ib  iff  {a  =x  h)  €  T 
a^ib  iff  {b  =x  a)  er 

Note  that  for  any  X,  and  -^x  need  not  be  symmetric, 
since  (a  =i  6)  G  F  does  not  imply  (6  =x  a)  €  F. 

Definition  4  (« J  Let  be  the  least  ternary  relation  sat¬ 
isfying 

1.  a  Wg  a,  for  every  array  constant  a  appearing  in  F 

2.  (a  — J'l  b)  V  {b  — a)  a  kj  b 

•  •  *  * 

Definition  5  (w  )  Let  be  the  least  ternary  relation  con¬ 
taining  and  satisfying 

»  * 

(3  c .  a  Kx  c  A  c  «z'  bj-^a  ~iui'  b 
Definition  6  (ss)  Let  «  be  the  binary  relation  defined  by 

a  K  b  iff  3X .  a  kx  b 

*  *  * 
The  context  will  help  distinguish  and  «.  Note  that  si 

is  an  equivalence  relation. 

Definition  7  (chains)  A  chain  of  applications  of  a  ternary 
symbol  B,  like  or  -y_,  called  an  R-chain,  is  defined  to 
be  a  conjunction  of  the  form  (oi  /?Zi  n^)  A  (02  R12  03)  A 
. . .  A  Ri„_i  On),  with  n  >  2. 


•  The  chain  is  denoted  (qi  02  Rx^  ■  ■  ■  o-n)- 

•  n  is  the  length  of  the  chain. 

•  The  union  along  the  chain  is  defined  to  be  Ui<2<n 

•  The  chain  is  said  to  he  from  x  io  y  iff  a\  =  x  and 
an  =  y- 

a  -  a’  -  .  .  .  -  b 

a-  a*  •••-  b 


c 


Figure  2.  Standard  forms  for  ;».-chains 

Lemma  2  (standard  form  for  chains)  Suppose  a  b, 
with  1^0.  Then  one  of  the  following  is  true: 

i.  there  is  a  -^_-chain  from  a  to  b  or  from  b  to  a,  where 
the  union  along  the  chain  is  X 

a.  for  some  c,  there  is  a  -y_-cbain  from  a  toe  and  another 
from  b  to  c.  where  the  union  of  the  unions  along  the  two 
chains  is  X. 

Figure  2  shows  the  possibilities. 

Proof  Let  C  be  a  w_-chain  Oi  «2,  . . .  W2„-i  an  from 
a  to  b,  with  X  =  Assume  C  is  of  mini¬ 

mal  length  of  all  such  chains.  For  every  i  with  1  <  *  < 
Tz  —  1,  let  be  either  ->2^  or  <—2,,  and  suppose  we 
have  Oi  O,  ...  ^,1-1  a,,.  It  is  easy  to  prove  that  if 
this  latter  chain  is  not  of  one  of  the  forms  described  in 
(i)  and  (ii),  there  must  be  an  i  with  1  <  z  <  zr  —  1 
such  that  is  <— z,_i  and  is  —>2,.  So  we  have 

0,-1  <-2._i  Qi  ->2,  Qz+i.  So  both  Oi  =2,_,  o.i-1  and 
=2,  Qj+i  arc  in  F.  It  must  be  the  case  that  both  and 
I,  arc  non-empty,  since  otherwise  (subst)  would  apply  to  re¬ 
place  the  left  hand  side  of  one  of  those  equations  by  the  right 
hand  side  of  the  other.  No  rules  can  apply,  since  F  is  nor¬ 
mal.  Since  both  J,„i  and  I,  arc  non-empty,  (trans)  would 
be  applicable,  unless  the  conditions  described  in  Section  3.3 
for  preventing  non-termination  were  keeping  it  from  being 
applied.  This  implies  that  cither  rt,_i  =2,_iUi,  or 

a,+i  =2i_iUii  Oi-i  is  in  F,  since  Oi  and  a>  must  be  their 
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own  normal  forms  as  determined  by  the  core  congruence 
closure  algorithm.  Hence,  we  have  ai_i  at+i- 

So  the  chain  ai  ssij  ...  Oi_i  Oi+i . . .  wi„_j  a„, 

whose  union  is  I,  has  smaller  length  than  C.  This  contra¬ 
dicts  the  assumption  that  C  is  of  minimal  length  of  such 
chains.  □ 

Now  an  interpretation,  given  as  a  function  |J  from  the 
constant  and  function  symbols  of  F  to  their  interpretations, 
is  defined.  [_|  is  defined  to  map  every  constant  symbol  a 
of  basic  type  7  to  a  itself.  |_]  will  map  array  constants  to 
functions.  To  satisfy  extensionality,  functions  that  give  the 
same  value  for  every  input  are  required  to  be  equal.  First 
let  _Lc  be  a  new  symbol  not  occurring  in  F,  for  every  m- 
equivalence  class  C.  Define  [reaiT]  to  be  the  operation  of 
function  application,  except  that  when  it  is  given  _Lc.  it  may 
just  return  Lq-  Intuitively,  for  an  array  constant  a,  |a]  will 
be  a  function  mapping  all  but  a  finite  number  of  inputs  to  a 
default  value  Formally,  suppose  a  is  in  ^-equivalence 
class  C.  Define  |a]  to  be  the  function  that  returns  ±c  for 
every  input,  except  those  assigned  values  by  the  following; 

Definition  8  (interpretation  of  array  constants) 

for  every  constant  symbol  b  of  the  same  type  as  a, 
for  every  set  I  such  that  a  wj  b, 
for  every  index  constant  i  not  appearing  in  X, 
if  read{b,i)  =  a;  g  F  for  some  x,  then 
the  value  of  [a]  for  input  |t|  is  defined  to  be  [a;]. 

Notice  that  the  body  of  Definition  8  may  specify  the 
value  for  |aj  on  input  i  more  than  once.  So  for  |  J  to  be  well- 
defined,  if  the  value  of  |aj  on  input  i  is  specified  to  be  |a;i] 
and  [a:2],  we  need  |a;i]  =  [araj.  So  if  a  6  and  a  «2»  c 
with  i  not  in  I  and  not  in  2',  then  for  |]  to  be  well-defined, 
it  must  be  the  case  that  if  read{b,  i)  —  xi ,  read{c,  i)  =  aj-a  € 
F,  then  |a:i]  =  [aja].  Since  the  conditions  a  kx  b,a  wj/  c, 
i  not  in  2,  and  i  not  in  2'  together  imply  b  W2uz'  c  and  i 
not  in  2  U  2',  the  following  lemma  suffices  to  prove  that  || 
is  indeed  well-defined. 

Lemma  3  (well-definedness  of  I  ])  If  a  b,  i  not  in  I, 

and  read{a,  i)  =  Xi ,  read{b,  i)  =  x-z  ^  F,  then  Xi  =  X2- 

The  proof  of  this  lemma  relies  on  the  following  sub¬ 
lemma. 

Lemma  4  (certain  reads  equal  along  chains)  Suppose 
Oi, . . . ,  On,  and  i  are  such  that  Oi  . . .  — Onfor 
some  2i, . . .  ,2„_i,  where  i  is  not  in  Ui<j<n-i2j.  Sup¬ 
pose  there  is  a  constant  x  such  that  readfiaf,  i)  =  x  G  F. 
Then  read{an,  i)  =  x  G  F. 

Proof  The  proof  is  by  induction  on  n.  The  base  case  is  triv¬ 
ial.  For  the  induction  case,  suppose  read{ai  ,i)  =  x  G  T. 


Since  F  is  normal,  no  rules  can  apply.  So  we  must  have 
2i  7^  0,  since  otherwise  (subst)  would  apply  with  ai  —  ua 
and  read{ai,i).  Furthermore,  since  (partial-eq)  cannot 
apply,  it  must  be  the  case  that  the  conditions  of  Section  3.3 
for  preventing  non-termination  are  what  is  prohibiting  its 
application  with  oi  =ij  aa  and  read{a,i).  In  particular, 
it  must  be  the  case  that  read{a2,i)  is  already  known  to 
be  equal  to  read{ai,i).  The  other  possibility,  namely  that 

1  is  known  to  be  equal  to  an  element  of  2,  is  excluded 
because  i  is  not  in  2  by  hypothesis,  and  correctness  of 
the  core  congruence  closure  algorithm  would  require  i  to 
appear  in  2  in  a  normal  goal  if  i  were  known  to  be  equal 
to  an  element  of  2.  For  read{a\ ,  i)  and  read{a2,i)  to  have 
the  same  normal  form  with  respect  to  the  core  congruence 
closure  algorithm,  we  must  have  read(a2,i)  =  x  G  T; 
this  follows  from  the  definition  of  convenient  normal  form. 
Now  the  induction  hypothesis  may  be  applied  to  conclude 
that  read{an,  i)  =  a;  6  F.  □ 

Proof  (of  Lemma  3)  Suppose  a  b  and  suppose 

2  7^  0.  Then  by  Lemma  2,  there  is  either  a  ->_-chain 
from  o  to  6  or  from  b  to  o,  or  there  is  a  constant  c 
such  that  there  is  a  ->_-chain  from  a  to  c  and  another 
from  b  to  c.  By  Lemma  4,  in  the  first  case  either 
read{b,  i)  =  xi  g  F  or  read{a,  i)  =  X2  £  F,  and  in  the  sec¬ 
ond,  read{c,  i)  =  xi,  read{c,  i)  =  X2  £  F.  Since  F  is  nor¬ 
mal,  for  all  z,  y,  and  z,  read{x,i)  =  y,  read{x,i)  =  z  g  F 
implies  y  =  z,  since  otherwise  (subst)  would  apply. 
So  in  either  case,  zi  =  za.  If  2  =  0,  then  it  must  be 
the  case  that  a  =  b,  since  read{a,i)  and  read{b,i)  are 
both  in  F;  otherwise,  (subst)  would  apply.  But  again, 
read(a,  i)  =  x,  read{a,  i)  =  y  gT  implies  that  x  =  y.  O 

Lemma  5  (correctness  of  the  constructed  model)  The 

model  constructed  in  the  previous  section  satisfies  every 
formula  of  the  goal  F  in  convenient  normal  form. 

Proof  Consider  the  types  (I),  (II),  and  (III)  of  formulas 
from  the  list  in  section  4.1;  recall  that  goals  in  convenient 
normal  form  consist  of  formulas  of  just  these  types. 

Case  I:  read{x,y)  =  z  Since  x  is  an  array  constant, 
X  se0  X,  and  so  the  construction  of  Definition  8  will  assign 
the  value  that  function  |z]  takes  on  argument  |?/]  to  be  |z]. 
Hence  {read^x.y)}  =  [zj. 

Case  II:  x  y  Since  all  disequations  in  F  are  between 

index  expressions,  x  and  y  must  be  index  constants.  Hence, 

|x]  =  X  and  [?/]  =  y,  by  construction.  If  z  =  y,  then  the 

goal  would  not  be  normal,  because  (ax)  would  apply.  So  the 

interpretation  satisfies  x  y. 

Case  III:  z  =x  y  It  must  be  shown  that  for  every 

index  constant  not  in  |2],  |z|  and  |t/]  give  the  same  value. 

|z]  and  ly]  have  the  same  default  value  since  they  are  in  the 
* 

same  Rj-equivalence  class.  For  those  index  constants  i  not 
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in  I  that  appear  in  a  formula  of  the  form  read{y,  i)  =  z  £  F, 
they  store  the  same  values,  by  Definition  8.  □ 

From  the  fact  that  a  model  has  been  constructed  for  a 
normal  goal,  the  main  result  now  follows. 


The  procedure  for  Arr  always  docs  this  for  index  terms  but 
not  always  for  array  terms.  If  the  rules  of  Figure  3  are  added 
to  phase  2,  however,  it  can  be  shown  that  if  t  and  t'  are  ar¬ 
ray  terms  in  a  normal  goal  that  are  entailed  to  be  equal,  then 
t  t'. 


Theorem  2  (completeness)  The  satisfiability  procedure 
for  Arr  is  complete. 

5.  Complexity  analysis 


(trans2) 


r,  a  — j  b,  b  —ji  c,  a  —xui'  c 
r,  a=xb,  b  =r  c 

where  I  7^  0  and  2'  7^  0 


Observe  that  each  application  of  (w-elim)  or  (partial-eq) 
leads  to  one  new  subgoal  for  each  element  of  the  indexing 
set  2  in  the  rule.  The  size  of  2  is  easily  seen  to  be  bounded 
by  the  size  N  of  the  original  goal  F.  So  any  deduction  from 
F  may  be  viewed  as  a  tree  with  branching  factor  no  more 
than  N.  It  is  not  hard  to  show,  in  fact,  that  N  is  an  upper 
bound  on  the  number  of  branching  nodes  in  the  tree,  so  there 
are  at  most  0{N’^)  =  0(2'^'®^)  branches.  Each  branch 
can  be  shown  to  be  of  polynomial  length,  so  the  algorithm 
runs  in  worst-case  exponential  time. 


(patch) 


r,  a  xb  r,  (/),  a  =x  b 
r,  a—i^xb 

where  cp  is  read{a,  i)  =  read{b,  i) 


Figure  3.  Rules  to  propagate  entailed  equa¬ 
tions 


6.2.  Propagating  properly  entailed  disjunctions 


Theorem  3  (NP-completeness)  The  problem  of  testing  a 
conjunction  of  literals  for  satisfiability  in  Arr  is  NP- 
complete. 

Proof  Downey  and  Sethi  showed  that  a  subproblem  of 
the  problem  decided  here  is  NP-hard  [4].  To  show  that  the 
problem  is  in  NP,  observe  that  the  size  of  the  model  con¬ 
structed  in  the  previous  section  for  a  goal  F  in  convenient 
normal  form  is  polynomial  in  the  size  of  F.  The  conver¬ 
sion  of  a  normal  goal  to  convenient  normal  form  incurs  at 
most  a  polynomial  expansion  of  the  goal.  So  the  size  of  the 
model  constructed  is  polynomial  in  the  size  of  the  normal 
goal.  Flence  a  model  can  be  nondeterministically  guessed 
in  polynomial  time.  Checking  whether  or  not  a  conjunction 
of  literals  is  satisfied  by  a  model  can  be  done  deterministi¬ 
cally  in  polynomial  time.  So  satisfiability  of  a  conjunction 
of  literals  can  be  checked  nondeterministically  in  polyno¬ 
mial  time.  □ 

6.  Extensions 

In  this  section,  several  extensions  to  the  refutation  pro¬ 
cedure  for  Arr  arc  considered.  Due  to  lack  of  .space,  cor¬ 
rectness  proofs  are  omitted. 

6.1.  Propagating  all  entailed  equations 

Full  incorporation  of  the  satisfiability  procedure  into  the 
framework  for  cooperating  procedures  of  [2]  requires  that 
the  procedure  can  discover  all  equations  between  terms  oc¬ 
curring  in  a  satisfiable  goal  that  are  entailed  by  that  goal. 


Definition  9  (proper  entailment  of  disjunctions)  A  dis¬ 
junction  that  is  entailed  when  neither  of  its  disjiincts  is 
entailed  is  said  to  be  properly  entailed. 

Incorporating  the  procedure  into  the  framework  of  [2]  also 
requires  it  to  have  the  following  property.  Let  0  and  0  be 
equations  whose  sides  appear  in  goal  F.  If  the  procedure  re¬ 
ports  F  satisfiable,  then  F  cannot  properly  entail  0  V  ip.  The 
original  procedure  for  Arr  docs  not  have  this  property;  an 
example  is  the  normal  goal  a  ={,}  b,  a  ={jq  b,  read{b,  i)  = 
v,read{b,j)  =  v',  which  entails  z  =  j  V  n  =  6  but  nei¬ 
ther  i  =  j  nor  n  =  6.  It  can  be  proved,  however,  that  the 
modified  procedure  of  section  6. 1  docs  have  this  property. 

6.3.  Allowing  constant  arrays 

Constant  arrays  arc  arrays  that  store  a  single  value  for 
all  indices.  The  language  is  extended  with  function  sym¬ 
bols  constr  for  each  value  sort  r,  and  the  following  axiom 
schema  is  added: 

\/  X  :  T  .y  i  :  I .  read{const{x)  ,i)  =  x 

The  procedure  of  section  6. 1  is  modified  to  obtain  a  pro¬ 
cedure  for  this  extended  theory  by  adding  the  rules  of  Fig¬ 
ure  4.  (const-eliml)  is  added  to  both  phases,  and  (const- 
symm)  and  (const-clim2)  arc  added  to  phase  2.  To  ensure 
that  the  conclusion  of  (const-elim2)  entails  its  premise,  the 
simplifying  assumption  is  made  that  the  interpretation  of  the 
type  /  of  indices  is  infinite.  With  this  modified  procedure, 
goals  that  arc  normal  with  respect  to  phase  2  may  fail  to  be 
normal  with  respect  to  phase  1.  For  example,  the  applica¬ 
tions  of  const  in  the  goal  const{write{a,i,v))  =  consfb) 
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are  removed  using  (const-elim2)  in  phase  2,  but  this  adds 
the  equation  write{a,i,v)  =  6  to  the  goal,  which  could  be 
analyzed  with  the  (w-elim)  rule  of  phase  1 .  So  it  is  neces¬ 
sary  to  repeat  the  phases. 


(const-eliml) 


T[read{const{x) ,  i)] 


(const-symm) 


r,  a  =x  const{x) 
r,  const{x)  =x  a 
where  a  is  not  of  the  form  const{y) 


(const-elim2) 


_ r,  a:  =  y 

r,  const{x)  =x  const{y) 


Figure  4.  Rules  to  treat  constant  arrays 


7.  Conclusion 

A  refutation  procedure  for  an  extensional  theory  of 
multi-dimensional  arrays  has  been  presented  and  proved 
correct.  The  theory  Arr  decided  essentially  subsumes  all 
previously  decided  array  theories.  The  procedure  is  suitable 
for  incorporation  into  a  framework  for  cooperating  decision 
procedures. 
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Abstract 

It  is  crucial  for  the  performance  of  ordered  resolution  or 
paramodulation-hased deduction  systems  that  they  incorpo¬ 
rate  specialized  techniques  to  work  efficiently  with  standard 
algebraic  theories  E. 

Essential  ingredients  for  this  purpose  are  term  orderings 
that  are  E-compatible,  for  the  given  E,  and  algorithms  de¬ 
ciding  constraint  satisfiahilityfor  such  orderings. 

Here  we  introduce  a  uniform  technique  providing  the 
first  such  algorithms  for  some  orderings  for  abelian  semi¬ 
groups,  abelian  monoids  and  abelian  groups,  which  we  be¬ 
lieve  will  lead  to  reasonably  efficient  techniques  for  prac¬ 
tice. 

The  algorithms  are  optimal  since  we  show  that,  for  any 
well-founded  E-compatible  ordering  for  these  E,  the  con¬ 
straint  satisfiability'  problem  is  NP-hard  even  for  conjunc¬ 
tions  of  inequations,  and  our  algorithms  are  in  NP. 

Keywords:  .symbolic  constraints,  term  orderings,  auto¬ 
mated  deduction. 


1  Introduction 

It  is  crucial  for  the  performance  of  ordered  resolution 
or  paramodulation-bascd  deduction  systems  that  they  incor¬ 
porate  specialized  techniques  to  work  efficiently  with  stan¬ 
dard  algebraic  theories  E,  like  abelian  semigroups  (AC,  for 
associative  and  commutative)  abelian  monoids  (ACO),  or 
abelian  groups  (AG). 

Essential  ingredients  for  this  purpose  arc  reduction  (i.c., 
well-founded  and  monotonic)  orderings  on  ground  terms 

•Both  authors  arc  partially  supported  by  the  E.SPRIT  Basic  Rc.search 
Action  CCL-II,  ref.  WG  #  224.S7.  and  the  Spanish  CICYT  project 
HEMOSS  ref.  TIC98-0949-C02-0I .  The  first  author  is  supported  by  De- 
partament  d’Universitats,  Recerca  i  Socictat  de  la  Informacid  de  la  Gen- 
eralitat  de  Catalunya.  A  version  of  this  paper  with  all  proofs  is  available 
from  WWW .  Isi  .  upc  .  es/~roberto  . 


that  arc  E-compatible  for  the  given  E,  i.e.,  s—es'  y  t'  —eI 
implies  s  y  t,  and  algorithms  deciding  the  satisfiability  of 
ordering  constraints  for  such  orderings.  Such  ordering  con¬ 
straints  are  used  to  express  ordered  strategies  in  automated 
deduction  at  the  formula  level  [8].  This  allows  one  to  re¬ 
duce  the  search  space  by  inheriting  the  ordering  restrictions 
while  keeping  completeness  [13,  15]. 

An  ordering  constraint  is  a  quantifier-free  first-order  for¬ 
mula  built  over  terms  in  T(iF,  X)  and  over  the  binary  predi¬ 
cate  symbols  *=’  and  ‘>’.  These  constraints  arc  interpreted 
over  the  domain  of  ground  terms,  where  =  and  >  arc  in¬ 
terpreted,  respectively,  as  a  congruence  and  a  reduction 
ordering  )-  such  that  is  total  up  to  «,  i.e.,  for  all  ground 
terms  .s  and  1  either  s  y  i  or  I  y  s  or  I  fssi  s.  Hence 
a  solution  of  a  constraint  C  is  a  substitution  cr  with  range 
T(E)  and  whose  domain  is  the  set  of  variables  of  C  such 
that  C'<T  evaluates  to  true  when  interpreting  =  as  and  > 
as  >.  Then  we  say  that  a  satisfies  C. 

The  first  practical  applications  of  ordering  constraints 
gave  rise  to  the  distinction  between  fixed  signature  seman¬ 
tics  (.solutions  arc  built  over  a  given  signature  T),  and  ex¬ 
tended  signature  semantics  (new  symbols  arc  allowed  to  ap¬ 
pear  in  solutions).  The  latter  semantics  is  in  .some  cases 
easier  to  check,  and  is  used  in  applications  like  the  compu¬ 
tation  of  saturated  sets  of  ordering  constrained  clauses  that 
can  be  used  for  deduction  with  other  clauses  containing  ar¬ 
bitrary  new  (e.g.,  Skolem)  symbols,  but  it  is  less  re.strictivc 
and  hence  less  powerful  for  rcfutational  theorem  proving. 
The  satisfiability  problem  for  ordering  constraints  was  first 
shown  decidable  for  the  well-known  recursive  path  order¬ 
ings  (RPO)  introduced  by  N.  Dershowitz.  [4],  for  fixed  sig¬ 
natures  [2,  7]  and  extended  ones  [13,  12],  NP  algorithms 
(fixed  and  extended  signatures)  were  given  in  [12,  11].  For 
the  Knuth-Bcndix  ordering  (KBO)  this  result  has  only  re¬ 
cently  been  obtained  (for  fixed  signatures)  in  [9]. 

Ordered  strategics  and  ordering  constraint  inheritance 
can  be  used  without  loosing  completeness  with  built-in  al¬ 
gebraic  theories  E,  like  AC  [14,  18]  or  AG  [6].  An  ad¬ 
ditional  advantage  of  constraints  in  this  context  is  that  in 
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each  inference  only  one  conclusion  is  generated,  instead  of 
one  conclusion  for  each  E-unifier.  This  can  have  dramatic 
consequences.  For  example,  there  are  more  than  a  million 
unifiers  in  mguAc{f{x,  x,  x),  f{yi,y2,  ya,  ^4))-  But,  prob¬ 
ably  due  to  the  lack  of  adequate  orderings  and  constraint 
solving  algorithms,  these  ideas  have  not  been  put  into  prac¬ 
tice  yet.  For  example,  McCune  found  his  well-known  AC- 
paramodulation  proof  of  the  Robbins  conjecture  [10]  by  still 
computing  complete  sets  of  AC-unifiers,  and  adding  one 
new  equation  for  each  one  of  them  (although  heuristics  were 
used  to  discard  some  of  the  unifiers). 

Indeed,  of  the  many,  rather  complex,  AC-compatible  re¬ 
duction  orderings  that  have  been  defined  in  the  literature, 
only  for  the  AC-RPO  ordering  of  [16]  a  constraint  solving 
algorithm  exists  [3].  But,  unfortunately,  this  algorithm  is  far 
from  practical  due  to  its  conceptual  and  computational  com¬ 
plexity,  and  moreover,  it  only  deals  with  extended  signature 
semantics. 

However,  in  many  practical  cases  one  has  to  deal  with 
only  one  single  associative  and  commutative  symbol,  and 
then  a  simple  version  of  the  RPO  on  flattened  terms,  which 
we  will  call  FRPO,  fulfills  all  requirements.  The  same 
FRPO  can  be  used  as  an  ingredient  for  an  AG-compatible 
reduction  ordering  AG-RPO  that  satisfies  all  requirements 
of  [6],  by  using  it  to  compare  AG-normal  forms  of  ground 
terms.  Finally,  it  turns  out  that  an  ACO-compatible  order¬ 
ing  ACO-RPO  is  obtained  in  a  similar  way  by  considering 
normal  forms  w.r.t.  the  rule  j-  -f  0  -4-  a;. 

Here  we  introduce  a  uniform  technique  providing  the 
first  constraint  solving  algorithms  for  fixed  signature  se¬ 
mantics  for  AC  compatible  orderings.  More  precisely,  we 
give  NP  algorithms  for  FRPO-based  orderings  for  abelian 
semigroups,  abelian  monoids  and  abelian  groups.  We  be¬ 
lieve  that  the  new  techniques  will  lead  to  reasonably  effi¬ 
cient  practical  algorithms  for  these  orderings,  and  give  new 
insights  for  the  development  of  constraint  solving  methods 
over  fixed  signatures  for  other  E-compatible  orderings. 

This  paper  is  structured  as  follows.  After  the  basic  defi¬ 
nitions  of  Section  2,  in  Section  3  we  deal  with  FRPO  con¬ 
straints.  For  explanation  purposes,  we  start  with  constraints 
built  with  a  single  unary  symbol  /,  a  constant  symbol  0 
and  the  AC  symbol  -f ,  and  later  extend  it  to  arbitrary  sig¬ 
natures.  After  explaining  the  relatively  simple  extension  to 
ACO-RPO  in  Section  4,  in  Section  5  we  deal  with  the  hard¬ 
est  part  of  the  paper,  namely  the  techniques  for  AG-RPO. 

It  is  obvious  that  the  satisfiability  problems  we  deal  with 
are  NP-hard,  because  as  subcases  they  include  the  AC,  ACO 
and  AG-unifiability  problems  which  are  all  NP-hard.  As  a 
consequence,  since  our  algorithms  are  in  NP,  they  are  op¬ 
timal,  and  the  problems  are  NP-complete.  But  one  may 
wonder  whether  there  exists  any  ordering  at  all  for  these  E 
such  that  at  least  the  satisfiability  problem  for  positive  con¬ 


junctions  of  inequations  (by  which  one  cannot  always  en¬ 
code  unification)  is  in  P.  In  Section  6,  we  answer  this  ques¬ 
tion  negatively:  we  show  that  for  any  well-founded  total 
E-compatible  ordering  for  each  one  of  these  E,  the  problem 
is  NP-hard  even  for  conjunctions  of  positive  inequations. 

Finally,  in  Section  7  we  give  some  conclusions  and  di¬ 
rections  for  further  work. 


2  Basic  Definitions 


We  use  the  standard  notation  and  terminology  for  terms  and 
constraints  of  [5]  and  [15].  The  rewrite  system  Rag  con¬ 
sists  of  the  following  five  rules: 


a:  -f  0  -> 

—X  -fa; 

-(-a:)  ^ 

-0 

-(ar-f?/)  -)• 


X 

0 


X 


0 

i-x)  +  (-y) 


By  AG  we  denote  the  set  of  seven  equations  consisting  of 
these  five  rules  (seen  as  equations)  plus  AC,  the  associativ¬ 
ity  and  commutativity  axioms  for  -f.  By  ACO  we  mean  AC 
U/(o  =  {a;-fO-)-a;}.  By=Ewe  denote  the  congruence 
on  terms  generated  by  a  set  of  equations  E.  In  this  paper, 
rewriting  with  a  set  of  rules  R  is  always  considered  mod¬ 
ulo  AC,  that  is,  when  writing  we  mean  the  (con¬ 

vergent)  relation  =ao  -^Rao  =ac,  and  terms  will  always 
be  considered  in  flattened  form  w.r.t.  AC:  we  consider  e.g. 
-f(a,  b,  c)  instead  of  -|-(a,  -|-(6,  c)).  Furthermore,  -f  is  writ¬ 
ten  in  infix  notation:  a  c. 

Let  us  first  recall  the  definition  of  RPO,  which  allows  for 
variadic  symbols  (hence  we  can  cope  with  flattened  terms). 
We  assume  given  a  precedence  >  on  T,  and,  for  each 
/  e  JF,  a  status  which  is  either  multiset  or  lexicographic. 
In  the  following,  a  symbol  will  have  the  multiset  status  if, 
and  only  if,  it  is  variadic.  Below,  the  relation  has  to 
be  understood  modulo  permutations  of  the  direct  subterms 
of  any  symbol  whose  status  is  multiset.  More  precisely, 
for  every  permutation  tt,  if  status(/)  =  multiset,  then,  for 
all  terms  =™' 

Then  RPO  is  defined  as  follows:  s  =  /(si, . . . ,  s„)  ^rpo 
=  t  iff 

1.  3  i  e  {1, . . Si  yrpo  I  or  Si  =™'  t,  or 

2.  f  >  g  and  s  ^rpo  f  for  all  i  =  1, . . . ,  rn  or 

3.  /  =  <7  and  status!/)  =  multiset,  and  {si,...,s„} 

{ti, . . .  ,tm}  where  >-™'  is  the  multiset  extension  of 

't—  rpo  Ct 

4.  /  =  g  and  status!/)  =  lexicographic,  and 

(si, . . . ,  s„)  (ti,  where  is  the  lexi¬ 

cographic  extension  of  >-rpo- 
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In  the  following,  we  call  the  RPO  on  flattened  terms  FRPO: 
we  define  s  y/rpo  t  if >-rpo  flat{i).  FRPO  is  not 
monotonic  in  general: 

Example  1  //+  >  a  >  6  then  6  +  6  yjrpo  a  but  a  + 
a  yjrpo  b  +  b  +  a.  Also,  if  a  >  +  >  f  then  f(a)  + 
/(a)  yjrpo  /(/(«))  but  f{a)  +  f{f(a))  yjrpo  f(a)  + 
f{a)  +  f{a).  Similar  non-monotonicities  occur  if  there  is 
more  than  one  AC  symbol.  □ 

However,  we  have  the  following  result: 

Lemma  2  ([!])  If  +  is  the  only  AC  symbol  and  either  + 
is  the  smallest  symbol  in  the  precedence,  or  else  only  the 
smallest  constant  is  smaller  than  +,  then  FRPO  is  an  AC- 
compatible  reduction  ( i.e.,  monotonic  and  well-founded)  or¬ 
dering  on  ground  terms  that  is  total  up  to  =ac- 

Let  us  now  define  the  ACO-RPO  and  AG-RPO  orderings. 
Given  two  ground  terms  s  and  t,  we  define 

*  y acO-rpo  t  if  ^frpo 

and 

S  ^ag-rpo  I  if  >-frpo 

where  nfj^{s)  denotes  the  normal  form  w.r.t.  H  of  s. 

The  following  is  not  difficult  to  prove  (see  also  [6]): 

Lemma  3  ACO-RPO  (AG-RPO)  is  a  total  ACO-compatiblc 
(AG-compatible)  reduction  ordering  on  ground  terms  in 
normal  form  w.r.t.  (— '/+  tbe  only  AC  sym¬ 
bol  and  the  precedence  is  of  the  form  ...>  +  >  0 
f.  ..>->  +  >  OJ, 

In  the  following,  we  will  consider  these  precedences. 

3  FRPO  Constraint  Solving 

For  explanation  purposes,  we  pre.sent  here  the  simple 
subcase  where  the  signature  contains  only  +,  0,  and  a  unary 
function  symbol  /,  with  the  precedence  /  >  +  >  0. 

Let  C  be  an  ordering  constraint  built  over  /,  +  and  0,  and 
let  Tc  be  the  set  of  all  (sub)terms  of  C  that  are:  variables, 
sides  of  relations  >  or  =  in  C,  terms  headed  with  /,  or 
terms  t  such  that  f(t)  occurs  in  C.  A  linear  constraint  for 
C  is  a  constraint  S  of  the  form 

G,1  =  •  •  •  =  ll.k,  >  .  .  .  >  /u,i  =  .  .  .  =  l,j^k„ 

where  all  tij  arc  distinct  and 

{G,li  •  •  •  ■  G,A-ii  •  •  •  !  ^'1,1'  •  ■  •  ’  u  {0}. 

We  denote  by  =5  the  equivalence  relation  generated  by  the 
equalities  in  S  and  by  >s  the  smallest  strict  ordering  re¬ 
lation  on  T((F,  X)  compatible  with  =5  and  containing  the 
inequalities  of  S. 

Each  constraint  C  can  be  expressed  as  an  equivalent  (i.e., 
with  the  same  solutions)  finite  disjunction  of  linear  con¬ 
straints  S  for  C  (see  below);  similarly,  in  what  follows  we 
will  also  make  the  following  assumptions: 


Al.  W.l.o.g.  we  can  assume  S  to  be  of  the  form 

Xl  —  I  \  ,l  —  •••  —  I  l,k  1  ^  •••  ^  •A’n  —  fi,l  —  ■*•  —  I  n,k  n 

where  =  vars(5)  and  all  tij  arc  distinct 

non-variable  terms.  Indeed  it  is  sufficient  to  insert  a 
new  (existentially  quantified)  variable  in  each  equiv¬ 
alence  class  without  any  variables,  or  to  merge  two 
equal  variables  into  one  if  necessary  (merging  of  equal 
variables,  which  will  be  done  more  often  in  this  paper, 
can  be  recorded  separately  if  one  wants  to  reconstruct 
a  solution  for  the  original  constraint  rather  than  to  de¬ 
cide  its  satisfiability). 

A2.  W.l.o.g.  we  may  assume  that  each  is  either:  a  sum 
of  variables,  or  the  term  0,  or  of  the  form  f(x)  where 
x  is  a  variable.  This  is  accomplished  by  replacing  non- 
variable  arguments  /  by  the  variable  .r  with  x  =s  t. 

A3.  W.l.o.g.  we  may  also  assume  that  in  each  equivalence 
class  Xi  =  /,.!  =  . . .  =  /,■  either  all  arc  headed 
by  +  or  else  the  class  is  simply  .r,-  =  f(.v)  or  .r,-  =  0 
or  Xi.  This  is  the  case  since  equalities  between  terms 
headed  with  different  top  symbols  arc  trivially  unsat- 
isfiablc,  and  linear  constraints  (to  which  the  previous 
transformations  have  been  applied)  containing  equali¬ 
ties  f(x]  =  /(,!/)  arc  satisfiablc  only  if  .r  and  .1/  arc  the 
same  variable.  The  rightmost  equivalence  class  can  be 
assumed  to  be  x„  =  0:  otherwise  S  is  trivially  unsat- 
isfiable. 

A4.  Again  w.l.o.g..  for  comodity  of  explanations,  S  can  be 
assumed  to  be  of  the  form  ./'  =  /(;)>  _  A  con¬ 

straint  j  ]  =  G  j  =  . . .  =  /i  >  . . .  can  be  trans¬ 
formed.  by  adding  an  additional  leftmost  equivalence 
cla.ss,  into  .ro  =  /(.ri )  >  xi=ti,j-..  .  =  >  . . . 

A5.  Every  variable  x  occurring  as  a  proper  subterm  in  S 
can  w.l.o.g.  be  assumed  to  have  another  occurrence  to 
the  right  of  it  in  .S'  at  top  level  (i.e.,  not  as  a  proper 
subterm  of  another  term).  Otherwise,  .S  is  trivially  un- 
satisfiablc. 

A6.  One  may  assume  that  if /(.;■)  >,s-  /(.(/),  then  also  j'  >s 
(/.  Otherwise,  .S  is  again  trivially  unsatisfiablc. 

A7.  If  we  have  !/i  +  . . .  +  ijk  >.s  fit/),  then,  for  some  / 
in  1  ...  6  we  have  m  >s  fin).  Otherwise,  .S  is  again 
trivially  unsatisfiablc. 

Example  4  Let  the  constraint  C  he  f  [x  -(-:)>  y  A  c  > 
f(x).  One  of  its  linear  constraints  is  y  =  f(x  +  c)  > 
/(.r)  >  r  +  c  >  ,r  =  ;  =  0.  Enforcing  the  assumptions,  it 
becomes  y  =  /((i'2)  >  wi  =  f(x)  >  +  -i'  >  x  =  {) 

by  adding  new  variables  ii'i  and  W2  for  the  classes  of  f(.r) 
and  j-  +  e  respectively,  and  merging  x  and  c.  However,  it 
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is  in  contradiction  with  our  initial  constraint  C.  Another 
linear  constraint  is  f{x  +  z)>x-\-z>z  —  y>  f{x)  > 
a;  =  0,  which  becomes  wi  =  f(w2)  >W2  =  x  +  i/>y> 
W3  =  f(x)  >  X  =  0.  This  linear  system  satisfies  all  our 
assumptions  and  it  is  not  in  contradiction  with  C.  □ 

Lemma  5  ([2, 12])  Each  constraint  C  can  be  transformed 
into  a  finite  disjunction  of  linear  constraints  satisfying  the 
previous  assumptions,  and  such  that  C  is  satisfiable  if  and 
only  if  one  of  the  linear  constraints  is. 

3.1  Segments  and  the  splitting  transformation 

A  term  w  is  a  summand  if  it  is  headed  with  a  symbol 
different  from  +.  It  is  a  top-level  summand  of  a  term  i  if  t 
is  of  the  form  u  or  A  segment  T  of  a  linear  constraint 
S  is  a  subsequence  of  S  of  the  form 

xo  =  f(s)  >  a:i  =fi,i  =  ■  ■  •  =  >  ...  >  Xi  = 

fi,l  —  .  .  .  —  f z,/c,  ^  ^2  +  1— f 

where  f  is  0  or  headed  with  /  and  all  f,- j  are  sums  of  vari¬ 
ables.  The  variables  xi, . . . ,  Xj+i  are  said  to  be  the  defined 
variables  of  T,  and  their  occurrences  as  single  variables  in 
their  equivalence  classes  are  their  definitions. 

In  such  a  segment  T,  every  variable  occurring  in  some 
tij  is  defined  either  in  T  itself  or  in  some  other  segment 
to  the  right  of  T.  Now  our  aim  is  to  transform  S  in  such 
a  way  that  the  latter  kind  of  variables  are  removed  from  T, 
while  preserving  satisfiability.  On  the  other  hand,  as  a  re¬ 
sult  of  this  transformation,  terms  f(v)  where  r  is  a  sum  of 
variables  may  appear  in  S. 

The  idea  is  as  follows.  Let  a  be  some  arbitrary  solu¬ 
tion  of  5,  let  a;  be  a  variable  defined  in  T,  and  let  y  be  the 
variable  defined  in  the  equivalence  class  immediately  be¬ 
low  X,  that  is,  X  is  xj  with  1  <  i  <  i,  and  y  is  Then 
xa  y  ya  y  ter.  Therefore,  for  at  least  one  of  the  top-level 
summands  u  of  xcr  we  have  u  y  to.  Hence,  if  Ux  is  the 
sum  of  all  top-level  summands  u  of  xo  with  w  y  to,  and 
Ux  is  the  (possibly  empty)  sum  of  the  smaller  ones,  then  xo 
is  of  the  form  Ux  +  Ux  or  of  the  form  Ux-  Similarly,  yo 
can  be  of  the  form  Uy  -I-  Uy  or  Uy .  Furthermore,  either  (i) 
Ux  y  Uy,  or  else,  if  Ux  is  non-empty,  (ii)  Ux  =  Uy  and  Uy 
is  empty  or  Ux  y  Uy.  In  the  former  case,  we  say  that  x>  y 
due  to  the  “large”  sumands,  and  in  the  latter  case  due  to  the 
“small”  summands. 

According  to  these  ideas,  S  will  be  transformed  by  the 
following  splitting  transformation,  treating  one  whole  seg¬ 
ment  T  at  the  same  time,  segment  by  segment  from  left  to 
right,  except  for  the  rightmost  segment,  that  does  not  need 
any  treatment.  One  can  assume  that  in  segments  T'  to  the 
left  of  T,  all  variables  not  below  /  are  defined  in  T'.  Let  T 
be: 

xo  =  f{s)  >  a;i=<i,i  =  ...  =  fi,;;i  >  •••  >  ^i  = 

11.1  —  ...  —  U,k,  ^  ^2-|-l — i 


1.  Guess  a  subset  of  split  variables  of  {xi . .  .Xi}  such 
that  whenever  x  =5  2/1  -f  . . .  -t-  j/fc ,  then  x  is  split  if, 
and  only  if,  at  least  one  of  the  y,-  is  split  or  defined  in 
a  segment  to  the  right  of  T  (intuitively,  x  is  split  if  it  is 
guessed  to  have  at  least  one  “small”  summand). 

2.  If  a;  is  a  split  variable,  then  introduce  two  new  vari¬ 
ables  X  and  x',  and  everywhere  in  S  replace  x  by 
X  -f  x'.  In  this  case  we  say  that  x  is  split  into  X  +  x' 
(intuitively,  the  X  is  for  the  large  summands  and  the 
x'  for  the  small  ones).  If  a;  is  a  non-split  variable  of 
{a;i . .  .a:,+i},  replace  a;  by  a  new  variable  X. 

3.  After  this,  the  equivalence  classes  e  in  the  segment  are 
either  of  the  form  Vi-f-wi  =  ...==  14-1-^*  or  of  the  form 
V\  =  . . .  —  14 ,  where  the  Vi  are  sums  of  upper  case 
variables  and  the  n,-  are  sums  of  lower  case  variables 
and  variables  defined  in  segments  to  the  right  of  T. 
If  e  is  such  an  equivalence  class,  we  denote  by  E  the 
equivalence  class  Lj  =  . . .  =  I4  and  by  e'  the  class 
vi  —  ...  =  Vk  (if  it  exists  for  e).  Then  we  can  write 
T  as  xo  =  f(s)  >  Cl  >  . . .  >  e,+i  and  we  can  guess, 
for  each  relation  ej  >  ej+i  whether  (i)  it  is  due  to 
the  large  summands  or  (ii)  to  the  small  ones  (note  that 
case  (ii)  applies  only  if  e'-  is  non-empty).  Accordingly, 
replace  T  by  the  new  segment  T': 

xo^f(s)  >  £1  #  ...  #  £2+1 
Furthermore,  insert  each  e'-  in  a  segment  to  the  right  of 
T,  adding  it  to  an  existing  equivalence  class  or  creating 
a  new  one,  in  such  a  way  that,  whenever  Ej  =t‘  Ej+i, 
either  e'-  >  does  not  exist. 

This  transformation  does  not  increase  the  number  of  seg¬ 
ments  of  S  and  only  a  polynomial  number  of  variables  are 
split:  each  variable  can  only  lead  to  k  splittings,  where  k  is 
the  number  of  segments. 

Example  6  (Example  4  continued)  Let  us  apply  the  split¬ 
ting  transformation  to  the  result  tci  =  /(ic^)  >  IV2  = 
X  -f  y  >  y  >  W3  =  f{x)  >  K  =  0  of  Example  4.  First  we 
treat  the  leftmost  segment  Wi  =  f{iV2)  >  W2  =  x  -\-  y  > 
y  >  W3  =  f{x).  The  possible  variables  to  be  split  are  W2 
and  y.  We  guess  to  split  only  W2  into  W2  -f  obtain¬ 
ing  wi  =  f(W2  -I-  W2)  >  W2  -f-  W2  =  X  y  >  y  > 

=  f(x).  Now,  for  the  relation  W2  -h  UI2  >  y  we  guess 
W2  =  y.  After  removing  from  this  segment  and  insert¬ 
ing  it,  for  example,  in  the  equivalence  class  of  0,  we  obtain 
=  f{y  +  x)  >  y  >  W3  =  f{x)  y  X  =  Q.  For  the 
segment  W3  =  f[x)  >  x  —  fi  no  splitting  is  needed.  □ 

Definition  7  We  say  that  two  sums  of  variables  A'l  -t- . . .  -f 
Xk  and  i'l  4- . . .  -f  Yi  are  compared  by  segments  in  S'  if: 

•  For  all  i  in  \  . .  .k  —  I  the  segment  where  Ai+i  is  de¬ 
fined  is  to  the  right  of  the  segment  where  Xi  is  defined, 
and  the  same  for  the  Yi ’s  for  i  in  \ . .  .1  — 
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•  There  exists  an  i  in  I ..  .k  such  that  Xj  =s  Yj  for  all  j 
withj  <  i,  and  either  i  =  /  +1  or?'  <  /  and  Xi  >5  Y). 

If  X  >s  y  and  S'  is  obtained  from  5  by  the  splitting 
transformation,  then  the  occurrences  of  f{x)  and  f(y)  in  S 
become  f{X  +  A''  +  X"  +  . . .)  and  /(V  +  V'  +  Y^"  + . . .) 
in  S',  respectively,  where  the  sums  A'  +  A"'  +  A'"  +  . . .  and 
Y  +  F'  +  y"  +  . . .  are  compared  by  segments  in  S'. 

3.2  Diophantine  systems 

Assume  5  is  the  result  of  applying  the  splitting  transfor¬ 
mation  to  a  linear  system.  Now  we  can  define  a  system  of 
diophantine  equations  and  inequations  Ds  for  S  as  follows. 
For  each  segment  T  in  S  of  the  form 

^0  =  /(s)  >  -  .  =  >  ...  >  Xi  = 

ti,l  —  - - f,kt  +  f 

the  system  Ds  eontains  the  equations  and  inequations: 

1.  a;i  >  X2,  X2  >  :E3,  ...  ,  X'i  >  Xi+i 

2.  Xj  =  tj^k,  for  all  j  in  { 1 . . .  ?},  and  all  A-  in  { 1 . . .  kj  } 

.3.  the  equation  2;,+ 1  =  1. 

Example  8  (Example  6  continued)  The  system  of  diophan¬ 
tine  equations  for  Wi  =  f{y  -|-  2:)  >  y  >  u>.3  =  f(x)  > 
2'  =  0  is 

wi  =  1  y  >  rr.3  r?’3  =1  2=1 

W<?  obtain  a  solution  0  for  it  by  defining  yO  =  2.  Below  vre 
will  see  that  from  each  such  a  0  one  can  build  a  solution  a 
for  the  linear  constraint  from  right  to  left.  We  have  xa  =  0 
and  hence  urjcr  =  /(O).  Now  for  each  variable  v  with  vfl  = 
n,  we  define  va  =  t  +  ..."'>  +  t,  where  t  is  the  summand 
at  the  lower  end  of  its  segment;  e.g.,  we  define  ycr  to  be 
f(0)  -b  /(O).  Fincdly,  we  have  uqsr  =  /(/(O)  -b  /(O)  -b  0). 
If  one  desires  to  reconstruct  the  solution  for  the  original 
constraint  of  Example  4:  rr.^o'  is  0,  and  za  is  /(O)  +  /(O). 
□ 

The  following  simple  result  will  be  used  below  when 
solving  ordering  constraints  on  multisets  of  several  ele¬ 
ments  as  multisets  over  a  single  element: 

Lemma  9  Let  C  be  a  set  {r „ , . . . ,  r 0}  with  an  ordering  >- 
where  p„  y  ...  y  cq.  Then  for  any  decreasing  sequence  of 
finite  multisets  over  (J 

Mo  yy  ...yy 

there  exists  a  weighting  function  f  :  C  — ^  A”  with  f{(o)  = 

1  such  that 

F(Mo)>  ...>  F(M„,) 

where  the  extension  to  multisets  F'  of  f  is  defined 
F{{ai . .  =  /(fli)  +  . . .  +  f(uk]. 


Proof:  Let  k  be  no  -F  ...  +  n,„.  Then,  for  instance,  the 
function /(e,- )  =  k'  fulfills  the  requirements.  □ 

Lemma  10  Let  5i  . . .  Sm  be  the  resulting  .systems  of  ap¬ 
plying  the  splitting  transformation  to  a  linear  constraint  S 
over  the  signature  f  >  +  >  0.  Then  S  is  satisfiable  for 
FRPO  if  and  only  if,  some  Ds,  is  satisfiable  in  the  positive 
natural  numbers. 

Proof:  <=:  Assume  Dg'  is  satisfiable  for  some  S'  in 
{.Si  . .  Let  0  he  a  solution  for  Dg'.  We  can  build 

a  solution  a  for  S'  as  follows.  For  each  segment  T  in  S’  of 
the  form 

2'o  =  /(s)  >  iT=fi,i  =  ...  =  fi,fc,  >  ...  >  2,= 

fj,l  —  ...  —  ^  i,k ,  ^  ^ 

assume  a  (partial)  solution  a  has  already  been  defined  for 
all  segments  to  the  right  of  T.  Then,  for  the  variables  xj 
defined  in  this  segment  we  define  xja  to  be  fo-  +  . .  -b  to 
where  n  —  xjO  (note  that  if  T  is  the  rightmost  segment,  then 
t  is  0).  Clearly,  a  satisfies  all  equality  relations  in  S',  that 
is,  ua  =Ac  va  for  all  u  and  v  with  u  =5-  v.  Furthermore,  it 
also  satisfies  the  relations  xjcr  y  2j  +  itT  with  j  in  {1 ...  ?} 
for  such  segments  T. 

Hence  it  only  remains  to  be  checked  that  cr  satisfies 
f(s)cr  y  2i(T.  Since  xicr  is  of  the  form  ta  -F  itr 
and  /  >  -b,  it  suffices  to  check  that  f(s)cr  y  to,  where  t  is 
headed  with  /  (the  case  where  f  is  0  is  trivial).  Then  f{s) 
is  of  the  form  f{X  +  A''  -b  X"  -b  . . .)  and  t  is  of  the  form 
/(}■  +  y'  -b  y"  -b  . . .),  as  a  result  of  the  splitting  transfor¬ 
mation  applied  to  terms  f[x)  and  f[y). 

But  by  assumption  A6,  if  f(.r.)  >s  f(y),  then  also 
2  >5  y.  Therefore,  our  result  follows:  after  the  splitting 
transformation,  the  sums  A',  A'',  A’", . . .  and  Y,  Y",  Y’", . . . 
arc  compared  by  segments  in  S',  and  cr  assigns  one  different 
summand  to  each  segment,  and  in  the  correct  order. 

Once  we  have  this  solution  0  for  S',  it  can  be  extended  to 
a  solution  for  S  by  recursively  defining  xa  to  be  A'cr  -b  x'a, 
for  each  splitting  of  a  variable  2  into  A'  -b  2'. 

=>:  Assume  S  is  satisfiable.  Now  we  prove  that  Dgi  is 
satisfiable  as  well  for  some  S'  in  {.5'i  . .  .S',,,}.  Let  rr  be  a 
solution  of  .S'.  Let  S'  be  the  system  obtained  by  applying 
the  splitting  transformation  according  to  cr,  that  is,  if  2  is 
defined  in  a  segment  T  of  S  of  the  form 

J'0  =  /(-s)  >  2i  = /i,i  =  .  .  .  =  >  ...  >  2,= 

I  i.\  —  ...  —  I  i.k,  S  2‘ ,  .j.  1  —  / , 

then  2  is  split  into  A'  -b  x'  if  xa  contains  any  summands 
smaller  than  ia\  we  proccccd  similarly  for  the  other  gucss- 
ings,  and  a  is  extended  conveniently  for  the  new  variables. 
The  extended  substitution  cr  is  a  solution  for  S' .  More¬ 
over,  in  a  segment  of  .S’'  like  the  previous  one,  for  all  j  in 
{ 1 . . .  ?’  -b  1 }  we  have  that  xja  contains  only  top-level  sum¬ 
mands  greater  than  or  equal  to  ta. 

Now  let  C  =  {i?o _ ,»,)}  be  all  the  different  top- 

level  summands  of  these  variables,  where  u„  y  h„_i  )>■ 
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...  ^  uq  and  Mo  is  ter.  Every  xjcr  and  tj^irr  can  be  seen 
as  a  multiset  on  these  summands  (the  multiset  of  its  top- 
level  summands).  By  Lemma  9  there  exists  a  function 
f  :  C  Af  such  that  its  extension  F  to  multisets  sat¬ 
isfies  F{xicr)  >->-  ...  >->-  F(xi+i(T),  and  F(a;,+iiT)  = 
/(mo)  =  1.  Moreover,  since  xju  and  are  the  same 
multiset,  ift^y  is  of  the  form  Xj^  +  . .  .  +  Xj,,  then  F{xj(r)  = 
F{tjja')  =  F[xj^(T)  -f  . . .  -|-  F{xj^cr).  Therefore,  the  as¬ 
signment  Xj  =  F{xja)  satisfies  the  equations  of  Ds'  cor¬ 
responding  to  T.  □ 

Theorem  11  The  satisfiability  problem  for  FRPO  con¬ 
straints  over  the  signature  /  >  -f  >  0  w  in  NP. 

Proof:  Generating  one  of  the  linear  constraints  S  of  the  dis¬ 
junction  equivalent  to  C  consists  of  a  polynomial  number 
of  guessings  of  the  relations  between  all  the  subterms  in  C, 
and  the  size  of  S  is  polynomial  w.r.t.  the  size  of  C.  The 
splitting  transformation  consists  of  a  polynomial  number  of 
guessings.  By  Lemma  10  S  is  satisfiable  if  and  only  if  there 
exists  a  sequence  of  guessings,  in  the  splitting  transforma¬ 
tion,  giving  a  linear  constraint  S' ,  such  that  Ds'  is  satisfi¬ 
able.  Checking  whether  Ds'  is  satisfiable  is  again  in  NP 
[17].  □ 

3.3  More  function  symbols 

We  consider  now  the  case  where  the  signature  contains 
any  finite  number  of  function  symbols  with  arbitrary  arities. 
The  precedence  is  now  of  the  form  . . .  >  -f  >  0. 

W.l.o.g.,  the  following  additional  assumptions  w.r.t.  the 
linear  constraint  generated  from  the  initial  constraint  may 
be  assumed  (otherwise  the  linear  constraint  is  again  trivially 
unsatisfiable): 

A8.  If  f{xi,...,Xn)  >S  and  g  >  f,  then 

Xi  >S  g[y\,  ■  ■  ■,  ym )  for  some  z  in  1 . . .  n. 

A9.  If  f{xi,...,Xn)  >5  f{yi,---,yn)  then  either 

/(yii  •  ■  ■  1 2/n)  for  some  i  in  l...n  or  else 
(•^*1 1  ...  1  ^’n  )  1^5  {yi :  •  •  •  :  yn)  ■ 

Segments  are  defined  as  before,  except  that  now  the 
function  symbols  at  the  begining  and  at  the  end  of  it  may 
be  different;  a  segment  T  of  a  linear  constraint  5  is  a  sub¬ 
sequence  of  S  of  the  form 

Xq  S  ^  X  —  G,1  —  •••  —  tijk  I  ^  •••  Xi  —  L',  1  — 

...  —  L'jA',  Xi.^-1—t 

where  s  and  t  are  not  headed  with  +  and  all  j  are  sums  of 
variables.  The  splitting  transformation  and  the  diophantine 
system  are  defined  exactly  as  before. 

Lemma  12  Let  5i . . .  S,n  be  the  resulting  systems  of  ap¬ 
plying  the  splitting  transformation  to  a  linear  constraint  S. 
Then  S  is  satisfiable  if,  and  only  if,  some  Ds,  is  satisfiable. 


Theorem  13  The  satisfiability  problem  for  FRPO  con¬ 
straints  is  in  NP. 

4  ACO-RPO  Constraints 

In  this  section  we  consider  ACO-RPO  constraints  over 
arbitrary  signatures  of  the  form  ...>/>  -f  >  0.  Observe 
that  all  terms  of  the  form  0  -f  ...  -f  0  are  equivalent  to  0  in 
this  setting  and  that  hence  the  second  smallest  term  w.r.t.  the 
ordering  y  is  /(O, . . . ,  0).  Therefore  we  can  add,  w.l.o.g., 
an  aditional  assumption  to  our  linear  constraints: 

AlO  All  linear  constraints  S  are  of  the  form  S'  >  x  = 
f{y, . . .  ,y)  >  y  =  Q  and  no  term  of  the  form  t  -{-  y 
occurs  in  5. 

With  this  additional  assumption,  it  is  easy  to  see  that  the 
whole  rest  of  the  steps  described  in  the  previous  section  di¬ 
rectly  suffice  for  ACO-RPO  constraints.  Minor  details  are 
that,  during  the  splitting  process,  the  new  assumption  AlO 
has  to  be  preserved,  and  then,  no  small  variables  result¬ 
ing  from  a  splitting  can  be  inserted  in  the  rightmost  seg¬ 
ment.  Moreover,  in  the  diophantine  system  it  is  not  neces¬ 
sary  to  create  the  equations  corresponding  to  the  rightmost 
segment. 

Observe  that  the  basic  idea  of  the  splitting  process  is 
that  solutions  for  the  linear  constraint  are  transformed  into 
new  solutions  where,  at  every  segment,  the  variables  that 
appear  in  it  contain  only  top-level  summands  of  this  seg¬ 
ment.  Therefore,  0  does  not  appear  in  segments  that  are  not 
the  rightmost  one,  and  hence  everything  behaves  like  in  the 
FRPO  case,  again  solving  the  diophantine  equations  over 
the  positive  natural  numbers.  This  gives  us  the  following 
result. 

Theorem  14  The  satisfiability  problem  for  ACO-RPO  con¬ 
straints  is  in  NP. 

5  AG-RPO  Constraints 

In  this  section  we  consider  AG-RPO  constraints  over  ar¬ 
bitrary  signatures  of  the  form  ...>->  -f  >  0.  In  this 
context  summands  are  terms  headed  with  some  symbol  dif¬ 
ferent  from  0,  -I-  or  -. 

Let  us  first  consider  some  examples  over  the  signature 
/>o>  —  >-|->0  where  /  is  unary  and  a  is  a  constant. 

Example  15  Then  the  smallest  terms  over  this  signature  in 
increasing  order  w.r.t.  are: 

0,  Q,  G-j-O,  a  o  -\-  a,  ...,  — G,  — G  —  G,  — Q  —  G  — 
a,  ■■■,  /(O),  /(O)-fa 

/(O)-PG-l-a,  ...,  /(0)-G,  /(O)-a-G,  ...,  /(0)-f 
/(O),  /(0)  +  /(0)+G,  ...,-/(0) 
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where  —a  is  the  smallest  limit  ordinal  lj,  /(O)  is2uj,  /(O)  — 
a  is  3u;,  /(O)  +  /(O)  is  Au!,  — /(O)  is  and  f[a)  is  2a;^. 
□ 

Example  16  W?  have  /(/(a))  /(o  —  /(O)  +  /(o  —  «)) 

since 

nf/j,,G(/(/(fl)))  =  /(/(a))  /(o)  = 

- /(O)  + /(o -«)))■  D 

Example  17  Terms  can  he  smaller  than  their  subterms: 
a  \=  X  >  f{x-f(a))  ifxa  =  f{a),  since  n{R^^{f(a))  = 
f{a)  ypRPO  f{0)  =  n{ji^^(f(f(a)-f{a))).  □ 

Since,  as  wc  have  seen  in  the  previous  example,  a  linear 
constraint  such  that  x  appears  to  the  right  of  the  segment 
where  it  is  defined  may  be  satisfiable,  assumption  A5  will 
not  be  made  in  this  section.  Similarly,  the  following  exam¬ 
ple  shows  us  that  terms  headed  with  /  may  become  equal 
to  terms  headed  with  -f  or  — .  Hence  assumption  A3  is  also 
dropped  in  this  section: 

Example  18  a  [=  x  —  y  =  f{z)  if  we  have  xcr  =  f{a)  + 
f(a),  ycr  =  f{a),  za  =  a.  □ 

An  other  difficulty  to  be  taken  into  account  is  that,  after 
the  splitting  transformation,  contrarily  to  what  happened  in 
the  previous  sections,  a  solution  for  a  linear  constraint  may 
need  more  than  one  different  top-level  summand  for  some 
segments: 

Example  19  Suppose  that  we  have  a  signature  of  the  form 
/  >  —  >  -f  >  0  where  f  is  unary:  Then  the  smallest  terms 
are  ordered  like: 

0,  /(O),  /(0)-f-/(0),  /(0)+/(0)+/(0) . 

-/(O),  -/(O)  -  /(O),  -/(O)  -  /(O)  - 

/(O),  /(/(O)). 

The  linear  constraint  f{f{0))  >  —z  >  z  >  y  >  —y  > 
/(O)  is  unsatisfiahle:  since  we  need  to  satisfy  y  >  —y,  nec¬ 
essarily  ycr  is  a  sum  of  negative  f{0)’s.  Therefore  zer  is 
of  the  form  — /(O)  —  ...  —  /(O),  with  some  more  negative 
/(O)  ’s.  But  then  —z>z  is  not  satisfied  by  cr. 

However,  the  linear  constraint  f{f{f{Q)})  >  — c  >  c  > 
y  >  —y  >  /(O)  has  the  solution  a  where  ycr  =  — /(O)  — 
f{0)  and  zer  =  /(/(O)) -t-/(/(0)).  It  has  no  solution  where 
ycr  and  zer  are  built  from  one  single  summand.  □ 

5.1  Only  unary  symbols 

For  explanation  purposes,  in  this  subsection  wc  first  a.s- 
sumc  that  all  the  non-constant  function  symbols  have  arity 
one.  Our  signature  is  of  the  form  ...>fi>ci>...> 
c/  >  —  >  -f  >  0,  where  h  is  the  smallest  non-constant 
function  symbol,  i.e.,  all  the  c,  are  constants. 


Then  wc  have  the  following  ordering  on  summands 
(from  which  the  ordering  on  ground  terms  is  easily  de¬ 
rived).  If  /  =  0  then  the  smallest  summands  are,  in 
increasing  order:  /)(0),  /t(/)(0)),  h{h(h{Q))), . . .  If 

I  rf  0  then  the  smallest  summands  are,  in  increasing 
order:  q,  ...,  ci,  /)(0),  /?(c,),  b{ci  -f 

c/),  h(ri  -f  0/  -f  Cl) . These  summands  will  be  denoted 

by  suini,  ■  ■  ■ 

Note  that  the  successor  summand  of  a  summand  of  the 
form  h(s)  is  b{s  sunii)  if  s  is  not  of  the  form  s'  —  sumi, 
and  h(s  —  simii)  otherwise.  The  successor  summand  of  a 
summand  f{s)  with  /  >  /)  is  always  h{f(s)).  We  write 
to  denote  the  k-ib  successor  summand  of  u. 

5.1.1  Conditions  for  the  linear  constraints. 

As  before,  we  generate  a  disjunction  of  linear  con¬ 
straints,  and  apart  from  the  assumptions  Al  —  .49,  except, 
as  said,  A3  and  A5,  we  need: 

Al  I.  W.l.o.g.  one  can  assume  that  all  the  constants  r,  and 
the  terms  siimi,  surri2  and  /)(0)  appear  in  S,  and  in 
the  correct  order.  We  will  refer  to  the  segment  between 
s(//7?2  and  sinrii  as  the  base  segment. 

AI2.  Every  variable  x  is  defined  to  the  right  of  all  occur¬ 
rence  of  the  form  f{x). 

A13.  There  is  no  /(.;■)  =5  y{y)  (or  f  y  or  x  y.  There¬ 
fore  wc  may  assume  that  each  equivalence  class  is  of 
the  form  xi  —  ti.\  =  . . .  =  fi^k,  or  =  t,,i  =  . . .  = 
fjj.^  =  /(,;•;),  where  all  /,,/  arc  sums  of  positive  and 
negative  variables. 

AI4.  All  linear  constraints  arc  of  the  form  S'  >  x  =  . .  .— 
sutVi  >  ;/  =  . . .  =  0  and  no  term  of  the  form  t  -f  y 
occurs  in  S. 

In  all  assumptions,  the  symbols  /  and  y  refer  always  to 
functions  different  from  +  and  — .  Conditions  AI2  and  A13 
arc  weaker  versions  of  conditions  A5  and  A3  respectively. 
Condition  A14  is  a  modification  of  condition  AlO:  in  the 
class  of  0,  sums  of  variables  defined  to  the  left  of  it  may 
appear;  in  a  solution  for  the  constraint,  these  variables  will 
contain  summands  that  cancel  each  other  out. 

In  this  setting,  a  sum  of  variables  is,  in  fact,  a  sum  of 
positive  and  negative  variables,  and  all  assumptions  have 
to  be  interpreted  accordingly.  For  example,  condition  A7 
implies  that  no  term  of  the  form  —x  is  in  a  segment  to  the 
left  of  the  segment  where  x  is  defined. 

5.1.2  The  splitting  transformation. 

The  splitting  transformation  is  essentially  as  before,  with 
some  differences.  For  example,  when  wc  guess  that  some 
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relation  is  due  to  the  small  summands,  the  small  terms  can¬ 
not  be  inserted  in  the  class  of  0.  Therefore,  it  makes  no 
sense  to  do  any  splitting  of  variables  in  the  base  segment. 
Another  difference  with  the  previous  cases  is  that  after  split¬ 
ting  and  removing  small  variables  from  a  segment  T,  some 
variables  defined  in  T  may  appear  to  the  right  of  T.  For  this 
reason,  we  need  to  introduce  the  so-called  associated  equa¬ 
tions,  a  set  of  equations  associated  to  each  segment,  but  that 
is  not  inserted  in  the  linear  constraint.  During  the  splitting 
transformation,  just  after  removing  the  small  variables  of  a 
segment  T,  equations  are  associated  to  T  as  follows.  Let  s 
be  a  term  in  an  equivalence  class  to  the  right  of  T,  and  sup¬ 
pose  that  s  is  of  the  form  M  +  m  or  f{M  -f  m),  where  M 
is  a  sum  of  positive  and  negative  variables  defined  in  T  (i.e. 
upper  case  variables  at  this  point),  and  m  does  not  contain 
any  of  these  variables.  Then  clearly  in  any  solution  a  the 
term  Ma  must  be  equivalent  to  0.  Therefore,  for  each  such 
s,  the  part  M  is  removed  from  s,  and  iff  =  0  becomes  an 
associated  equation  of  T  (if  the  part  m  of  s  is  empty,  then 
M  is  replaced  by  x,  the  variable  of  the  class  of  0). 

Finally,  for  explanation  purposes,  we  want  the  rightmost 
class  of  each  T  to  be  of  the  form  a;  =  <,  for  some  term  t  not 
headed  by  4-  (remember:  since  condition  A3  is  dropped, 
there  can  be  other  terms  headed  with  4-  in  this  class).  This 
can  be  accomplished  as  follows.  Assume  after  splitting,  this 
class  is  of  the  form  x  =  Ti  +  t[  =  —  Ti  +  t\  =  t, 

where  the  T,  are  the  “large”  sums,  i.e.,  the  sums  of  the  pos¬ 
itive  and  negative  variables  defined  in  T.  Then  the  class 
t[  =  . . .  =  t\  necessarily  has  to  be  inserted  in  the  class 
of  0.  Furthermore,  the  Tj’s  are  removed  as  well,  and  the 
equations  a;  —  Tj  =  0  are  added  as  additional  associated 
equations  of  T. 

By  processing  the  segments  in  this  manner,  from  left  to 
right,  when  we  arrive  to  the  segment  containing  the  class  of 
0,  it  is  of  the  form  x  =  surrii  >  a;  =  0,  since  the  rest  of 
variables  cannot  appear  in  this  segment,  at  this  point. 

Example  20  Let  us  consider  the  signature  /i  >  —  >  -f  > 
0.  Suppose  during  the  splitting  transformation  just  after 
splitting  the  variables  of  the  leftmost  segment  we  obtain: 

z  =  h(x3)  >  X3  >  X2  >  Xi  >  Xo  =  X3-X2-Xi+y2- 

yi-yi  =  h(yi)  > 

J/3  =  X2-xi-xo+y2+yi  >  2/2  >  2/1  >  h{w)  >  w  =  0. 
At  this  point,  if  we  assume  that  this  splitting  of  variables 
has  been  done  according  to  a  solution  a,  then,  all  the  Xicr 
contain  top-level  summands  bigger  than  or  equal  to  h(yi)a, 
and  all  the  ytcr  contain  top-level  summands  smaller  than 
h{yi)(7.  Since  {x3  —  X2~Xi-{-y2—yi—yi)<J  must  coincide 
with  h{yi)<T,  the  summands  below  the  yicr’s  must  cancel 
each  other,  i.e.  (2/2  —  2/i  —  2/i)cr  must  be  0.  Therefore,  we 
remove  2/2 - 2/i - 2/i  ffom  the  sum  X3-X2-xi-^y2-yi-yi, 
and  add  it  to  the  class  o/O,  obtaining: 

Z  =  h{x3)  >  X3  >  X2  >  Xi  >  Xo  —  X3  —  X2-X\  = 

Hyi)  > 


2/3  =  X2-xi-xo-i-y2-\-yi  >  2/2  >  2/i  >  h(w)  >  w  = 
2/2-2/1-2/1  =  0 

Now,  in  order  to  leave  the  treated  segment  in  a  normalized 
form  xo  =  h{yi),  we  remove  the  X3  —  X2—X1  and  we  add 
*0  — ^3  4-a;2  4-a;i  =  Q  to  the  set  of  associated  equations  of 
this  segment. 

Finally,  since  the  term  X2—xi—xo-}-y2-\-yi  is  to  the  right 
ofh(yi),  and  hence  it  must  contain  only  summands  smaller 
than  h{yi)(T,  we  have  to  force  the  a;,-  's  to  cancel  each  other. 
We  remove  X2—X1  —  X0  and  we  add  X2  —  X1—X0  =  d  to  the 
associated  equations  of  the  leftmost  segment.  Note  that  this 
is  a  different  treatment  with  respect  to  what  was  done  with 
2/2  — 2/1  ~  2/1  before.  But  remember  that  the  aim  is  to  remove 
variables  of  the  treated  segment  from  the  other  segments  to 
the  right  of  it.  In  fact,  this  2/2— 2/i— 2/i  added  to  the  class  o/O 
will  be  removed  from  this  class  when  we  will  treat  the  next 
segment,  since  none  of  the  yi ’s  is  defined  in  the  rightmost 
segment. 

Just  after  finishing  the  treatment  of  the  leftmost  segment 
we  obtain: 

Z  =  h{x3)  >  X3>  X2>  Xi>  xo  =  h{yi)  > 

2/3  =  2/24-2/1  >  2/2  >  2/1  >  Kw)  >  te  =  2/2-2/i-2/i  =  0 
where  the  leftmost  segment  contain  the  associated  equations 
xo  —  X3->rX2-\-xi  =  II  and  X2  —  X1-X0  —  Q.  □ 

5.1.3  Diophantine  equations. 

Example  19  shows  that  now  in  solutions  more  than  one 
summand  may  be  needed  in  a  single  segment.  But  only  a 
certain  number  of  summands  play  an  important  role  in  the 
comparisons. 

Example  21  If  a  >  b  >  c,  in  the  inequation  a-\-a-I-a-\-b-I-b-I- 
c  y  ar+Orj-a—c—c—c  the  summand  b  will  be  called  the  decisive 
summand,  since  it  is  the  greatest  sumand  that  appears  in 
both  terms  with  a  different  number  of  occurrences.  □ 

Let  s  be  a  term  and  u  a  summand.  The  number  of  oc¬ 
currences  of  M  in  s  (notation  #(m,  s))  is  the  integer  n  such 
that  s  =ag  nu-\-s',  where  u  is  not  a  top-level  summand  of 
s'.  For  instance  #(a,  /(a4-6)  -a  — a)  =  -2.  Let  s  and  t  be 
two  ground  terms  such  that  s  y  t.  The  decisive  summand 
of  the  inequation  s  y  t  is  the  top-level  summand  u  such 
that  for  all  summands  v  y  u,  ff{v,  s)  =  #(1;,  /),  and  either 
(i)#(u,  s)  >  #(w,2)  >  0  or  (ii)  #(m,  s)  <  #(w,,2)and 
#(u,  s)  <  0. 

Once  the  splitting  transformation  has  been  applied  to  S, 
we  can  define  a  system  of  diophantine  equations  and  in¬ 
equations  Ds  for  S  as  follows.  For  each  segment  T  in  5  of 
the  form 

Xq  S  Xy  —  /l,l  —  •  *  *  —  ^l,/.'i  ^  ^  Xi  —  li,\  — 

.  - - ti,ki  'y  — t 

with  associated  equations  qi  —  0, . . . ,  qi  =  0,  several  guess- 
ings  are  necessary.  First,  the  number  ndec  of  the  segment 


45 


is  guessed.  Intuitively,  for  a  given  a,  the  number  ndec 
is  the  cardinality  of  dec{T(T)  U  where  dec(Ta)  is 

the  set  of  different  decisive  summands  in  the  inequations 
xja  y  Xj^icr  with  j  >  0.  Hence  one  can  guess  ndec  to  be 
between  1  and  ?'  +  1 .  There  are  some  cases  where  it  must 
be  exactly  1,  which  is  when  we  know  that  for  all  cr  we  have 
scr  =  siiccsumi{ia): 

•  sis  some  Cj  and  t  is  Cj+i ,  or 

•  t  is  Cl  and  s  is  /i(0),  or 

•  f  is  sumi  and  s  is  siim2,  or 

•  f  is  headed  with  some  /  with  f  >  h  and  s  is  h{xi^i). 

In  the  following,  the  elements  of  dec(Tcr)  U  {ter}  are  de¬ 
noted  (and  ordered)  by  Undec  y  ■  ■  ■  >-  ui.  Note  that  always 
ta  is  ui  (if  the  splitting  has  been  done  according  to  cr). 

Now,  for  every  variable  xj  with  1  <  j  <  t  -f  1  we 
create  ndec  integer  variables  x'j,i, . . . ,  Xj^ndec^  representing 
the  number  of  occurrences  of  each  decisive  summand  in  Xj. 
For  the  segments  where  ndec  is  1  (as  for  the  base  segment) 
we  preserve  the  same  variable  name  Xj  for  the  correspond¬ 
ing  integer  variable. 

Example  22  Consider  /  >/!>->-f>0  and  suppose 
that  after  the  splitting  transformation  we  have: 

Zi  =  h(wi  +  X2)  >  Ul6=-U’.'5  >  Ws  >  ((I.i=-i('3  >  W3  > 

>  W’l  =  /(;.3)  > 

;.3  =  h{X3)  >  y.i  =-'(/3  >  i/3  >  1/2  =-t/l  >1/1  = 

h(X2)  > 

:2  =  h{xi)  >  X3  >  X2  >  Xi=h{zi)  >  ri  =0 
Now,  we  want  to  find  a  solution  a  such  that  for  every  vari¬ 
able  it  contains  summands  greater  than  or  equal  to  the 
rightmost  term  of  the  segment  where  it  is  defined.  We  may 
guess  that  the  number  of  decisive  summands  for  the  leftmost 
segment  is  3.  Therefore,  we  need  to  guarantee  that  at  least 
two  summands  between  /( -3  )cr  and  /?  ( ii.’i  -|-j’2  )cr  exist.  Ob¬ 
serve  that  the  successor  summand  of  f[z3)a  is  h(f(z3))a 
and  the  next  one  is  h{f(z3)-yh(0)]cr.  Since  X2  is  a  variable 
in  the  base  segment,  we  need  X2cr  to  be  at  least  /!(0)-|-/)(0). 
Here  appears  the  need  of  adding,  to  the  diophantine  sys¬ 
tem,  either  an  equation  of  the  form  X2  >  2  or  one  of  the 
form  X2  <  0,  since— f{Q)  is  greater  than  any  sum  of  posi¬ 
tive  /(O)  ’s. 

Later  on,  we  may  decide  that  the  number  of  decisive  sum¬ 
mands  for  the  segment  Z3=  h{x3)  >  i/.l=— i/3  >  1/3  >  y2  = 
^yi  >  ?yi  =  h{x2)  is  2.  We  need  to  guarantee  that  there 
exists  at  least  one  summand  between  h[x3)(T  and  b{x2)a. 
Observe  that  X3  and  X2  are  defined  in  the  base  segment.  If 
we  guess  X20'  to  be  /i(0)-|-. .  .-|-/)(0),  then  either  xsc  is  also 
of  the  form  /i(0)-f-. .  .  +  /)(0)  with  at  least  two  more  h(0)’s 
than  X2(t,  or  X3a  is  of  the  form  —/i  (0)  —  ...  —  /)  (0).  If  we 
guess  that  X2<t  is—h  {Q)  —  . .  .—h(0),  then  X3cr  also  has  to  be 


— /i(0)  — . . .  — /i(0),  but  with  at  least  two  more—h{0)  's  than 

X2<T.  □ 

We  now  impose  some  more  diophantine  equations  en¬ 
suring  that  there  will  be  enough  space  for  the  decisive  sum¬ 
mands  between  sa  and  ta,  when  ndec  >  1.  Assume 
ndec  >  I  and  let  y  and  z  be  variables  defined  in  the  base 
segment: 

1.  If  s  is  of  the  form  h{y-\-s')  and  t  is  of  the  form  h{z-i- 
s'),  it  has  to  be  guessed  whether  one  adds  either  the 
equations  (i)  y  >  z-{-ndec  and  2  >  0,  or  the  equations 
(ii)t/  <  z-ndec  and  z  <  0,  or  the  equations  (iii)t/  <  0 
and  z  >  0. 

2.  If  s  is  of  the  form  h{y-t-s')  and  t  is  of  the  form  h(s'), 
there  is  another  choice  between  the  equation  (i)  y  > 
ndec,  and  the  equation  (ii)  y  <  0. 

3.  If  s  is  of  the  form  /)(j;,+i-fi/)  and  t  is  of  the  form  /(/'), 
either  the  equation  (i)  y  >  ndec  —  I  or  (ii)  1/  <  0  is 
added. 

The  following  equations  are  added  to  the  system  Ds  in  or¬ 
der  to  express  for  which  inequation  which  decisive  sum¬ 
mand  is  decisive,  and  whether  it  decides  positively  or  nega¬ 
tively; 

1 .  For  each  j  between  1  and  i,  we  guess  which  index  sum¬ 

mand  k  between  1  and  ndec  is  the  decisive  one  for  the 
inequation  xj  >  xj+i.  Now,  for  all  k'  >  k  we  add  the 
equation  Xj_k'  =  In  order  to  decide  in  which 

manner  the  k-lh  summand  is  decisive,  we  guess  adding 
either  (i)  >  jj+i,/..  >  0  or  (ii)  i-j,/..  <  xj+i^k  and 

^J,k  <  0. 

2.  Let  ijj  be  the  result  of  replacing  in  tj^i  every  variable 
Xji  by  xji,!,.,  the  integer  variable  corresponding  the  the 
^•-th  decisive  summand.  Now  in  order  to  make  sure 
that  the  number  of  occurrences  of  the  A--th  summand  at 
each  side  of  the  equality  coincides,  add  xj^k  =  tjj,  for 
all  y  in  { 1  . . .  /},  and  all  A-  in  { 1 . . .  ndec},  and  all  I  in 
{1 . .  .kj}.  We  proceed  identically  with  the  associated 
equations. 

3.  We  add  ay+i.i  =  1,  and  for  all  k  in  {2. .  .ndec}  we 
add  =  0. 

Theorem  23  The  satisfiability  problem  for  AG-RPO  con¬ 
straints  restricted  to  signatures  with  functions  of  arity  0  or 
1  is  in  NP. 

5.2  Arbitrary  arities 

The  extension  to  arbitrary  signatures  is  obtained 
analogously  to  the  AC  case.  What  has  to  be 
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taken  into  account  is  that  succsumi{f{si,...,sk))  is 
/i(0, . . . ,  0, /(si, . . . ,  Sfe)),  and  succsumi{h(si,...,sk)) 
is  h(si, . . Sk  +  sumi)  if  is  not  of  the  form  s'  —  sumi, 
and  h{si, . . Sk—smni)  otherwise. 

Theorem  24  The  satisfiability  problem  for  AG-RPO  con¬ 
straints  is  in  NR 

6  Hardness 

Obviously,  the  satisfiability  problems  we  deal  with  are 
NP-hard,  because  as  subcases  they  include  the  AC,  ACO  and 
AG-unifiability  problems.  But  one  may  wonder  whether 
there  exists  any  ordering  at  all  for  these  E  such  that  at  least 
the  satisfiability  problem  for  positive  conjunctions  of  in¬ 
equations  (by  which  one  cannot  always  encode  unification) 
is  in  P.  Here  we  answer  this  question  negatively  (by  reduc¬ 
ing  l-in-3-sat  with  only  posive  literals),  even  if  monotonic¬ 
ity  of  the  ordering  is  not  required. 

Theorem  25  Let  E  be  AC,  ACO,  or  AG,  and  let  >-  be  any 
arbitrary  well-founded  E-compatible  ordering  on  ground 
terms  that  is  total  up  to  =b  Then  the  constraint  satisfiabil¬ 
ity  problem  for  >-  and  =e  is  NP-hard  even  for  constraints 
that  are  conjunctions  of  positive  inequations. 

7  Conclusions  and  further  work 

Constraint  solving  algorithms  have  been  defined  for 
FRPO-based  orderings  for  abelian  semigroups,  abelian 
monoids  and  abelian  groups.  We  believe  that  the  new  tech¬ 
niques  will  lead  to  reasonably  efficient  practical  algorithms 
for  these  orderings.  This,  as  well  as  building  an  implemen¬ 
tation,  is  one  of  the  directions  for  further  research  in  the 
context  of  the  PhD.  Thesis  of  the  first  author. 

Finally,  we  expect  that  the  ideas  given  here  will  provide 
new  insights  (to  us  or  to  others)  for  the  development  of  con¬ 
straint  solving  methods  over  fixed  signatures  for  other  E- 
compatible  orderings. 
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Abstract 

Recently  we  have  improved  the  efficiency  of  the  predicate 
abstraction  scheme  presented  in  [7],  As  a  result  the  number 
of  validity  checks  needed  to  prove  the  necessary  verification 
condition  has  been  reduced.  The  key  idea  is  to  refine  an  ap¬ 
proximate  abstract  transition  relation  based  on  the  counter¬ 
example  generated.  The  system  starts  with  an  approximate 
abstract  transition  relation  on  which  the  verification  condi¬ 
tion  ( in  our  case  this  is  a  safety  property)  is  model  checked. 
If  the  property  holds  then  the  proof  is  done.  Otherwise  the 
model  checker  returns  an  abstract  counter-example  trace. 
This  trace  is  used  to  refine  the  abstract  transition  relation  if 
possible  and  start  anew.  At  the  end  of  the  process  the  system 
either  proves  the  verification  condition  or  comes  up  with  an 
abstract  counter-example  trace  which  holds  in  the  most  ac¬ 
curate  abstract  transition  relation  possible  (with  the  user 
provided  predicates  as  a  basis).  If  the  verification  condition 
fails  in  the  abstract  system  then  either  the  concrete  system 
does  not  satisfy  it  or  the  abstraction  predicates  chosen  are 
not  strong  enough.  This  algorithm  has  been  used  on  a  con¬ 
current  garbage  collection  algorithm  and  a  secure  contract 
signing  protocol.  This  method  improved  the  performance 
on  the  first  problem  significantly  and  allowed  us  to  tackle 
the  second  problem  which  the  previous  method  could  not 
handle. 


1  Introduction 

Abstraction  is  emerging  as  the  key  to  formal  verification 
of  large  designs,  especially  those  that  are  not  finite-state. 
Predicate  Abstraction  provides  the  potential  for  combining 
the  generality  of  theorem  proving  with  the  ease-of-use  of 
model  checking  by  automatically  mapping  an  unbounded 
system  (called  the  concrete  system)  to  a  finite  state  system 

’This  work  was  supported  by  NASA  contract  NAS  1-98 139  and 
DARPA  contract  OO-C-8015.  The  content  of  this  paper  does  not  neces¬ 
sarily  reflect  the  position  or  the  policy  of  the  Government  and  no  official 
endorsement  should  be  inferred. 


(called  the  abstract  system).  The  states  of  the  abstract  sys¬ 
tem  correspond  to  truth  assignments  to  a  set  of  abstraction 
predicates,  which  can  be  supplied  by  the  user  or  derived 
from  the  problem  using  heuristics  [4]. 

The  user  must  supply  a  verification  condition  that  is  to 
be  proved.  Throughout  this  paper,  the  verification  condi¬ 
tion  is  assumed  to  be  an  invariant.  Of  course  more  complex 
safety  properties  can  be  checked  by  augmenting  the  system 
description  with  history  variables,  and  specifying  an  invari¬ 
ant  over  the  history  variables.  Either  the  system  extracts  ap¬ 
propriate  predicates  or  uses  user  provided  abstraction  predi¬ 
cates  to  automatically  construct  an  abstract  system  from  the 
concrete  system  description. 

Model  checking  techniques  can  then  be  used  to  check 
whether  the  abstract  system  satisfies  the  verification  con¬ 
dition,  The  abstraction  is  conservative,  meaning  that  if  a 
property  is  shown  to  hold  on  the  abstract  system,  there  is  a 
concrete  version  of  the  property  that  holds  on  the  concrete 
system;  however,  if  the  verification  condition  fails  to  hold 
on  the  abstract  system,  it  may  or  may  not  hold  on  the  con¬ 
crete  system. 

The  prototype  system  described  here  handles  more 
complex  system  descriptions  than  methods  previously  de¬ 
scribed,  It  uses  two  existing  libraries:  SVC  [2],  an 
implementation  of  decision  procedures  for  quantifier-free 
first-order  logic,  and  Boolean  Decision  Diagrams  (called 
BDDs),  an  efficient  representation  for  Boolean  functions. 
The  use  of  these  efficient  libraries  is  crucial  for  the  success 
of  the  system.  For  example,  SVC  is  typically  called  tens  of 
thousands  of  times  during  verification. 

The  prototype  works  in  two  phases:  it  first  produces  a 
representation  of  a  finite-state  machine  that  is  a  conserva¬ 
tive  abstraction  of  the  concrete  system.  Creating  a  good 
abstract  machine  is  expensive,  so  an  over-approximation 
of  the  abstract  transition  relation  is  computed.  In  the  sec¬ 
ond  phase,  the  verification  condition  is  checked  on  this  ma¬ 
chine  using  a  variant  of  standard  BDD-based  model  check¬ 
ing  algorithms.  If  the  verification  condition  holds  then  the 
proof  is  complete.  Otherwise  an  abstract  counter-example 
trace  is  generated.  This  counter-example  is  checked  to  see 
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whether  it  is  an  artifact  of  the  approximation  during  the  first 
phase.  If  it  is,  then  the  abstract  transition  relation  is  re¬ 
fined  (by  adding  constraints  to  the  transition  relation)  so  as 
to  eliminate  the  spurious  counter-example  and  the  verifica¬ 
tion  condition  is  model  checked  once  again.  This  process 
is  repeated  until  the  verification  condition  is  proved  or  a 
valid  abstract  counter-example  is  generated.  This  counter¬ 
example  guided  refinement  phase  is  essential  to  speed  up  the 
predicate  abstraction  process. 

The  technique  has  been  applied  to  a  concurrent  garbage 
collection  algorithm  and  a  contract  signing  protocol.  The 
new  technique  was  able  to  verify  the  garbage  collection  al¬ 
gorithm  much  faster  than  the  technique  used  by  Das,  Dill, 
and  Park  in  1999  [7],  which  was  the  first  and  still  only  at¬ 
tempt  to  verify  it  using  predicate  abstraction.  The  original 
method  could  not  even  prove  the  contract  signing  protocol 
because  the  proof  obligations  generated  were  too  difficult 
for  the  decision  procedure. 

Related  work 

The  use  of  automatic  predicate  abstraction  for  model 
checking  infinite-state  systems  was  first  presented  by  Graf 
and  Sai'di  in  1997  [9].  Their  method  represented  the  abstract 
states  as  monomials  (monomials  are  conjunctions  of  ab¬ 
stract  state  variables  or  their  negations).  Compared  with  the 
original  method  of  Das,  Dill,  and  Park,  and  the  new  method, 
the  use  of  monomials  may  result  in  more  false  errors  and 
failed  proofs.  However  their  method  also  requires  fewer  va¬ 
lidity  checks.  The  original  Graf/Saidi  method  computes  the 
reachable  state  set  as  part  of  the  abstraction  process.  Our 
work  uses  some  of  the  ideas  present  in  the  Graf/SaVdi  ab¬ 
straction  scheme  [9]  and  [7]. 

The  creation  of  the  initial  abstract  transition  relation  is 
similar  to  the  abstraction  method  presented  by  Saidi  and 
Shankar  [15].  In  that  work  the  authors  construct  an  accu¬ 
rate  abstract  transition  relation  that  is  used  in  model  check¬ 
ing.  If  the  desired  invariant  does  not  hold,  then  new  pred¬ 
icates  are  added.  In  their  paper,  refinement  is  used  to  con¬ 
struct  the  new  abstract  transition  relation  from  the  original 
relation.  Their  method  computes  the  exact  abstract  transi¬ 
tion  relation  which  can  be  expensive.  In  contrast  our  strat¬ 
egy  of  successive  approximation  is  more  efficient  because 
it  attempts  to  compute  the  least  accurate  approximation  that 
gives  a  definitive  answer. 

Colon  and  Uribe  have  also  described  a  method  that  first 
generates  an  abstract  transition  system,  then  model  checks 
it  [6].  The  transition  relation  generated  is  less  accurate  than 
that  presented  here. 

The  idea  of  counter-example-guided  refinement  is  a  gen¬ 
erally  useful  technique  in  model  checking,  which  has  been 
used  before,  by  Kurshan  et  al.  [13]  for  checking  timed  au¬ 
tomata,  Balarin  et  al.  [1]  for  language  containment  and 


Clarke  et  al  [5]  in  the  context  of  verification  using  abstrac¬ 
tion  for  different  variables  in  a  version  of  the  SMV  model 
checker.  Counter-example  guided  refinement  has  even  been 
used  with  predicate  abstraction  by  Lakhnech  et  al.  [18]. 
However,  their  method  refines  by  discovering  new  predi¬ 
cates  to  add,  an  idea  that  is  quite  different  from  refining  the 
use  of  a  given  set  of  predicates  in  the  abstract  system. 

We  believe  that  the  present  method  can  handle  signifi¬ 
cantly  larger  problems  than  previous  methods.  So  far  as  we 
know,  the  original  method  of  Das,  Dill  and  Park  is  able  to 
handle  more  difficult  problems  than  any  of  the  other  meth¬ 
ods  described  above,  and  the  new  method  is  much  more 
efficient. 

2  Abstraction  Method 

This  section  summarizes  the  theory  of  conservative  ab¬ 
straction.  Since  the  theory  behind  this  is  well  known  and 
descriptions  of  this  can  be  found  in  previous  papers  on  this 
subject  (for  instance  in  [9]),  the  important  properties  of  the 
abstraction  will  mostly  be  stated  without  formal  proof.  In 
stating  and  proving  the  claims,  we  have  found  that  using 
logical  formulas  uniformly,  instead  of  a  mix  of  set  and  logic 
notation,  eliminates  a  certain  amount  of  confusion.  Hence 
initial  states,  transition  relations  and  reachable  .state  sets  arc 
represented  as  predicates. 

The  key  idea  in  conservative  abstraction  is  that  the  ab¬ 
stract  state  machine  yields  a  superset  of  the  reachable  con¬ 
crete  states.  This  means  that  if  the  verification  condition 
holds  in  the  superset  of  the  reachable  concrete  states  then  it 
will  also  hold  in  the  concrete  system. 

The  concrete  transition  system  consists  of  initial  states 
represented  by  the  predicate  Ic.  Ici^')  is  true  iff  x  is 
an  initial  state.  The  transition  system  is  represented  by 
Rc{x..y).  Rc{x.,y)  is  frue  iff  y  is  a  successor  of  x. 

The  concrete  system  is  mapped  to  an  abstract  tran¬ 
sition  system.  If  there  are  N  abstraction  predicates, 
then  the  abstract  state  space  is  the  subset  of 
all  bit-vectors  of  length  N,  which  can  be  modeled  as  fol¬ 
lows.  IfF={xGW|0<x<  A'^},  then  the  type  of  these 
bit- vectors  is  F  {0, 1}.  In  what  follows  1  and  0  shall  be 
interpreted  as  true  and  false  in  the  obvious  way.  The  initial 
states  and  the  transition  relation  for  the  abstract  system  are 
constructed  later  in  the  section. 

The  abstraction  can  be  formalized  as  a  standard  Galois 
connection,  having  an  abstraction  function,  o  which  maps 
concrete  states  to  bit-vectors,  and  a  concrctization  function, 
7  which  is  essentially  the  inverse  image  of  a.  Specifically, 
a(x)  is  a  bit-vector  whose  bit  has  the  truth  value  (t>i{x) 
while  7(s)  is  a  predicate  on  concrete  states  that  hold  on  x 
when  for  every  i  G  P  the  bit  of  s  matches  fifx). 

Definition  1  The  abstraction  and  concrctization  functions, 
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a  :  C  ->  (P  ->  {0, 1})  and  7  ;  (P  {0, 1})  ->■  C  are 
defined  as, 

a{x){i)  =  (t>i{x) 
jisfix)  =  f\(f>i{^)  =  sii) 

ieP 

(=  is  the  biconditional) 

The  definition  of  a  and  7  can  be  extended  to  work  on 
the  predicates  defined  over  the  concrete  states  and  abstract 
states  respectively.  These  extended  definitions  are  as  fol¬ 
lows: 

Definition  2  Given  predicates,  Qc  and  Qa  over  concrete 
and  abstract  states  respectively,  the  abstraction  and  con- 
cretization  functions  are  extended  as  follows: 

aiQc){s)  =  3x.  Qcix)  A  /\  fiix)  =  5(2) 

ieP 

jiQA){x)  =  3s.  Qa{s)  A /\  fiix)  =  s{i) 

i€P 

Predicates  are  used  to  describe  sets.  So  the  set  of  all  ab¬ 
stract  states  are  defined  by  the  predicate,  3a;.  7(s)(a;).  Then 
for  any  arbitrary  predicates  5  and  X  defined  on  the  abstract 
and  concrete  states  respectively  it  can  be  easily  proved  that, 

X  ^  7(a(X)) 

(3x.  7(‘5)(a:))  ->  (5  =  0(7(5))) 

These  two  results  show  that  the  abstraction  scheme  is  in¬ 
deed  a  Galois  connection. 

Definition  3  The  set  of  abstract  initial  states,  I  a  is  defined 
to  be  a{Ic). 

Notice  that  a  has  been  used  on  a  concrete  predicate  and  so 
the  second  definition  of  a  is  to  be  used.  It  may  be  shown 
that  the  concrete  and  abstract  initial  states  satisfy  the  inclu¬ 
sion  relation,  Ic  — >  7(^4) 

Definition  4  The  abstract  transition  relation  is  represented 
by  a  predicate  Ra  with  two  states,  s  and  t  as  arguments. 
The  transition  relation  is  defined  as, 

RAisfi)  =  3x,y.  7(s)(x)  A'y{t){y)  ARc{x,y) 

The  abstract  transition  system  so  defined  is  a  conserva¬ 
tive  abstraction  of  the  concrete  system.  Let  the  predicate 
S\{s)  hold  if  s  is  an  abstract  state  that  is  reachable  from 
an  initial  state  after  k  transitions.  Similarly  let  the  predicate 
Sq{x)  hold  if  X  is  a  concrete  state  that  is  reachable  from  an 
initial  state  after  k  transitions.  Assuming  that 

Vx.  5^(x)^7(5^)(x)  (1) 


holds  it  can  easily  be  shown  that 

Vx.  5^+Mx)^7(5^+1)(x) 

where  the  reachable  concrete  and  abstract  states  after  k  +  l 
transitions  are  given  by 

Sc'^^y)  =  S^ciy)  V  3x.  5^(x)  A  Rc{x,y) 

S^/\t)  =  S'X{t)V3s.S\{s)ARA{s,t) 

Then  by  induction  it  may  be  concluded  that  (1)  holds  for 
all  k.  Since  the  abstract  system  is  finite,  the  fixed  point  of 
abstract  reachable  states  exists  and  the  concretization  of  the 
abstract  reachable  states  must  include  all  concrete  reachable 
states.  This  shows  that  any  invariant  that  holds  in  the  con¬ 
cretization  of  the  abstract  reachable  states  must  also  hold  in 
the  concrete  system.  Thus  the  abstract  system  is  a  conser¬ 
vative  abstraction  of  the  concrete  system. 

3  Counter-Example  Guided  Refinement 

Now  that  the  abstract  system  has  been  defined,  a  method 
is  presented  to  compute  the  abstract  system  efficiently  and 
with  the  necessary  accuracy.  Usually,  computing  the  exact 
abstract  transition  relation  defined  in  the  previous  section 
requires  excessive  time  for  all  but  the  most  trivial  of  sys¬ 
tems.  Also  typically  the  set  of  abstract  reachable  states  is 
extremely  sparse.  So  most  of  the  abstract  states  are  un¬ 
reachable.  Hence  computing  the  full  transition  relation  is 
not  necessary. 

Assume  that  the  successive  approximation  process  starts 
with  an  over-approximation,  Rq,  of  the  exact  abstract  tran¬ 
sition  relation.  If  a  state  f  is  a  successor  of  s  in  the  ex¬ 
act  transition  relation  then  t  is  also  a  successor  of  s  in  the 
over  approximated  transition  relation  as  well.  Rq  is  used 
to  model  check  the  verification  condition.  If  the  verifica¬ 
tion  condition  holds  then  the  proof  is  complete.  Otherwise 
the  model  checker  generates  an  abstract  counter-example 
trace  which  violates  the  verification  condition.  The  abstract 
counter-example  trace  is  a  finite  sequence  of  abstract  states, 
so,si, . . .  Sn  such  that  Ia{sq)  holds  and  i?o(si, Si-i-i)  holds 
for  every  i  G  [0,  n).  Also  s„  violates  the  verification  con¬ 
dition.  Now,  for  each  pair  of  consecutive  abstract  states, 
(si,Sj+i),  check  if  i?^(s,,  Sj+i)  holds.  In  this  case,  a  valid 
abstract  counter-example  has  been  found.  Otherwise  5o, 
can  be  refined  to  eliminate  the  generated  counter-example. 
This  process  of  model  checking  followed  by  refinement  is 
repeated  till  the  verification  condition  is  proved  or  a  valid 
counter-example  is  found. 

We  now  explain  how  the  refinement  process  works.  Sup¬ 
pose  R  is  the  an  over  approximated  abstract  transition  rela¬ 
tion  and  that  the  abstract  counter-example  trace  found  after 
model  checking  has  two  consecutive  states,  Sj  and  Sj+i, 
such  that  Sj+i)  is  false.  The  algorithm  tries  to  find 
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PROVE  JVERIFICATION.CONDITION{propcrty) 

begin 

I A  ■=  Initial  State  predicate 
Ra  '■=  true 
while  (true) 

Rorig  ;=  Ra 

trace  :=  model  check  property  in  abstract  system,  [I a,  Ra) 
if  empty{trace)  then 
return  PROPERTY. PROVED 
else 

for  each  pair  of  successive  states  sj,  Sj+i  in  trace  do 
if  7(sj)(a;)  A  7(sj+i)(t/)  A  Rc{x,y)  is unsatisfiable 

then 

Rorig  •—  Ra 

Ra  ■■=  Ra  A  REFlNE.TRANSJtEL{sj,Sj^i) 

break 

endif 

end 

if  Ra  =  Rorig  return  trace 
endif 

end 

end 

REFIN  EJrRANSJRELisj  ,Sj+i) 

I*  The  function  returns  the  constraint  C  *1 

begin 

X  :=  7(sj)(x)Aj(sj+i)(r/) 
for  each  conjunct,  p  in  A'  do 
remove  p  from  X 
if  satisfiahle{X  A  Rc{x,y))  then 
add  p  back  to  X 
endif 
end 

return  ^a{X) 

end 

Figure  1.  Abstract  State  Machine  Refinement 

a  con.straint,  C{s,t),  such  that  RA{s,t)  C{s,t)  and 
C(sj,  Sj+i )  is  false.  Then  the  abstract  transition  relation, 

R'{s,  t)  =  R{s,  t)  A  C{s,  t) 

is  also  a  conservative  abstract  transition  relation.  Since 
,Sj+i)  is  false,  this  means  that  7{sj){x)  A 
7(sy+i)(?;)  A  Reix,  y)  is  unsatisfiable  for  every  x  and  ev¬ 
ery  y.  From  the  definition  of  7,  it  follows  that  7(.Sj)(.r)  A 
7{sjA-i){y)  is  a  conjunction  of  abstraction  predicates,  (i>i{x) 
and  (f>i{y)  and  their  logical  complements.  We  wish  to  find  a 
minimal  subset  of  these  predicates  that  is  unsatisfiable  when 
conjoined  with  Rc{x,y).  The  heuristic  in  the  pre.scnt  .sys¬ 
tem  is  a  simple  greedy  algorithm.  It  is  explained  in  Figure 
1. 

The  following  theorem  shows  that  this  construction  re¬ 
sults  in  a  new  conservative  abstract  transition  relation.  The 
key  point  to  note  is  that  at  the  end  of  the  algorithm  the  con¬ 


junction  of  the  remaining  conjuncts  and  Rc{x,,y)  is  unsat- 
isfiablc.  The  bit-vectors  Cj  and  cj+i  determine  which  con¬ 
juncts  have  been  removed.  Wherever  Cj(/c)  is  false,  the  con¬ 
junct  involving  (pki^)  has  been  removed  from  7(sj)(x)  in 
the  added  constraint,  C{s,t).  Similarly,  if  Cj+i{k)  is  false, 
then  the  conjunct  involving  fkiv)  has  been  removed  from 
7(5j+i)(2/)- 

Theorem  1  Let  the  initial  abstract  transition  relation,  R 
satisfy  Ws,t.  RA{s,t)  — f  R{s,t)  and  sj,  sj+i  be  abstract 
states  and  cj  and  Cj-|-i  are  bit-vectors  such  that 

A 

ieP 

A  A  Cj-ri(0  (sj-ri(i)  =  ^i{y))  A  Rc{x,y) 
i€P 

is  unsatisfiable,  then  the  new  transition  relation  defined  by, 

R'{s,t)  =  R{s,f)  A 

-if\  Cj{i)  -A  (s(i)  =  sj(i))  A 
ieP 

A  Cj+i(*)  ->  (i(i)  =  Sj+i(f))] 

i€P 

satisfies 

Ws,t.  RA{s,t)  -A  R'{s,t) 

Proof  To  prove  the  theorem  assume  that  Ra  {s,  t)  holds  for 
some  arbitrary  s  and  t. 

Since  RA{s,t)  -A  R{s,t),  it  may  be  concluded  that 
R{s,  t)  holds  as  well.  Also  by  definition  of  Ra, 

3x,y.  7{s){x)  A7{t){y)  A  Rc{x,y) 

Existential  instantiation  of  the  quantifier  and  using  the  defi¬ 
nition  of  7  yields, 

A  fi{i)  =  4>,{xo)  A  A  ti'i)  =  fpiivo)  b,  Rc{xo,yo)  (2) 

ieP  ieP 

Because  of  the  condition  that  cj  and  Cj+i  satisfies, 

a  Cj(*)  [sj[i)  =  4>i{x))  A 
ieP 

A  Cj+i{i)  -A  (.Sj+i(i)  =  (pi{y))  A  Rci^Oj)] 
i€P 

Simplifying  the  expression  and  then  instantiating  with  Xq 
and  yo  yields, 

i€P 

V  [V  Cj+i(0  A  (.Sj+i  (i)  ^  4>i{yo))] 

ieP 

V  ^Rc{xo,yo) 
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Using  the  expressions  for  0i(a:o)  and  (pi{yo)  from  (2)  yields, 

V  ^  (*)  ^ 

i€P 

V  Y  9+1  (i)  A  (Sj+i(i)  ^  f(i))  (3) 

iep 

Now  from  the  definition  of  R', 

R'{s,t)  =  R{s,t)  A 

■^[A 

ieP 

A  Ci+i(t)  ->  (f(i)  =  Sj+l(*))] 

i€P 

Simplifying  the  above  definition  and  using  that  R{s,t) 
holds, 

R'{s,t)  =  [\/ Cj(i)  A{s{i)  ^  sj{i))V 

i€P 

\J  Cj+i{i)  A{tii)  ^  sj+i{i))]  (4) 

i€P 

The  combination  of  (4)  and  (3)  shows  that  R'{s,t)  holds. 
This  completes  the  proof  of  the  theorem.  □ 

As  mentioned  above,  the  approximate  abstract  system  is 
model  checked,  and  then  refined  if  necessary.  This  process 
is  repeated  until  one  of  the  following  happens: 

1.  The  verification  condition  holds. 

2.  A  counter-example  trace  in  which  for  any  two  succes¬ 
sive  states,  Sj  and  Sj+i, 

3x,y.  'yisj){x)  A-y{sj+i){y)  ARc(x,y) 
holds. 

It  is  easy  to  see  that  the  process  will  necessarily  terminate 
in  one  of  these  situations.  Every  refinement  must  remove  at 
least  one  pair  of  abstract  states  from  the  transition  relation. 
Since  the  abstract  system  is  finite,  the  number  of  times  the 
refinement  can  be  carried  out  is  bounded. 

In  the  first  scenario  the  desired  invariant  holds  in  an  over¬ 
approximation  of  the  exact  abstract  transition  relation  and 
so  would  also  hold  in  the  exact  transition  relation.  Thus 
the  desired  invariant  has  been  proved  correct.  In  the  second 
case  the  counter-example  generated  would  also  hold  in  the 
abstract  machine  with  transition  relation  R^.  So  further  re¬ 
finement  of  Ra  would  be  useless.  This  is  proved  in  the  next 
theorem. 

Theorem  2  If  an  abstract  transition  system  with  transition 
relation,  R  such  that  Ra  ^  R  and  initial  state  set,  I  a  has 
a  counter-example  trace,  So,Si,...s„  such  that  for  each 


j  £  [0,  n)  there  are  concrete  states  x  and  y  (not  necessarily 
the  same  for  different  values  of  j )  such  that, 

l{sj){x)  A-f{sj+i){y)  A  Rc{x,y) 

is  satisfiable,  then  Sq,  Si, . . .  Sn  R  also  a  counter-example 
trace  in  the  abstract  transition  system  where  the  transition 
relation  is  Ra  and  the  initial  state  set  is  I  a- 

Proof  Since  so,Si,. .  .Sn  is  an  execution  trace  in  the  ap¬ 
proximate  transition  system, 

Ia{so)  (5) 

Now  for  every  j  G  [0,n), 

RA(sj,Sj+i)  =3x,y.  'Y{sj){x)  A'y{sj+i){y) 

A  Rc{x,y)  (6) 

Existential  instantiation  of  the  precondition  of  the  theorem 
yields, 

7(si)(a:o)  A  7(si+i)(t/o)  A  i?c(a;o,t/o) 

Using  this  with  (6)  implies  that  RA{sj,Sj+i)  is  true  and 
so  Sj+i  is  a  successor  of  Sj.  Using  this  fact  in  conjunction 
with  (5)  proves  that  sqi  >  •  •  •  Sn  is  a  counter-example  trace 
in  the  exact  abstract  system.  □ 

Thus,  if  a  counter-example  is  generated,  either  the  set  of 
predicates  provided  are  not  rich  enough  to  prove  the  desired 
verification  condition  or  the  invariant  does  not  hold  in  the 
concrete  system. 

4  Prototype  Implementation  and  Results 

A  prototype  verifier  based  on  the  preceding  ideas  was 
implemented  to  evaluate  efficiency  on  real  problems.  The 
decision  procedure,  SVC  was  used  to  do  the  satisfiability 
checks.  Binary  Decision  Diagrams  were  used  to  represent 
the  abstract  transition  relation  and  to  model  check  the  ver- 
fication  condition  on  the  abstract  system.  The  user  has  to 
provide  the  predicates  used  to  construct  the  abstract  system. 

An  obvious  choice  for  the  initial  approximate  abstract 
transition  relation  is  the  completely  unconstrained  abstract 
transition  relation.  The  decision  procedure,  SVC,  did  not 
perform  well  when  this  was  the  case,  so  the  prototype  pro¬ 
duced  an  initial  approximation  by  heuristically  collecting 
small  sets  of  predicates  with  many  common  variables,  and 
building  a  abstract  transition  relation  using  only  those  pred¬ 
icates. 

Unlike  the  preceding  discussion,  the  prototype  creates 
abstraction  predicates  on  the  next-state  variables  by  substi¬ 
tuting  transition  functions  for  current  state  variables  in  the 
abstraction  functions  (this  is  the  method  used  in  most  pre¬ 
vious  papers  on  predicate  abstraction). 

We  have  used  two  examples  to  evaluate  the  successive 
approximation  method  presented  here.  The  examples  are: 
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•  On-Thc-Fly  Garbage  Collection 

•  GJM  Secure  Contract  Signing  Protocol 

On-The-Fly  Garbage  Collection 

The  on-the-fly  garbage  collection  algorithm  was  pro¬ 
posed  by  Dijkstra,  et  al.  [8].  This  algorithm  is  widely 
acknowledged  to  be  difficult  to  get  right,  and  difficult  to 
prove.  A  more  detailed  discussion  of  the  subtlety  of  this  al¬ 
gorithm  and  subsequent  variations  can  be  found  in  a  paper 
by  Havelund  and  Shankar  [10]. 

The  algorithm  was  simplified  by  Ben-Ari  [3]  to  involve 
two  colors  instead  of  three.  This  also  led  to  a  simpler  ar¬ 
gument  of  correctness.  Alternative  justifications  of  Bcn- 
Ari’s  algorithm  were  also  given  by  Van  de  Snepscheut  [17] 
and  Pixley  [12].  However  it  must  be  remembered  that  these 
proofs  were  informal  pencil  and  paper  proofs. 

Later  this  modified  algorithm  was  mechanically  proved 
by  Russinoff  [14]  using  the  Boyer-Moore  theorem  proven 
A  formulation  of  the  same  algorithm  was  also  proved  by 
Havelund  and  Shankar  rn  PVS  [10].  The  authors  give  an  es¬ 
timation  of  the  complexity  and  size  of  the  proof.  The  proof 
needed  19  invariant  lemmas  and  57  function  lemmas  and 
took  about  two  months.  So  far  as  we  know,  no  one  has  me¬ 
chanically  proved  the  original  algorithm  of  Dijkstra,  et  al. 

In  the  garbage  collection  algorithm,  the  collector  and  the 
user  program,  the  mutator,  may  be  regarded  as  a  concur¬ 
rent  system  with  both  processes  working  on  shared  mem¬ 
ory.  The  memory  is  abstractly  modeled  as  a  directed  graph 
with  each  node  having  at  most  two  outgoing  edges.  A  sub¬ 
set  of  these  nodes  are  called  roots  and  they  are  special  in  the 
sense  that  they  are  always  accessible  to  the  mutator.  Also 
any  node  that  can  be  reached  from  one  of  the  roots  by  fol¬ 
lowing  edges  is  also  accessible  to  the  mutator.  The  mutator 
is  allowed  to  choose  an  arbitrary  node  and  redirect  one  of 
its  edges  towards  another  arbitrarily  chosen  accessible  node. 
Each  memory  node  also  has  a  color  field  which  the  collec¬ 
tor  uses  to  keep  track  of  the  accessible  nodes.  The  collector 
also  maintains  a  free-list  which  is  a  list  of  nodes  that  arc 
not  being  used  by  the  mutator.  The  mutator  can  request 
nodes  from  the  collector  which  the  collector  satisfies  from 
the  free-list.  The  collector  collects  garbage  nodes  (that  is 
nodes  which  arc  no  longer  accessible  to  the  mutator)  and 
adds  them  to  the  free-list. 

The  garbage  collection  algorithm  must  satisfy  two  prop¬ 
erties  for  it  to  be  correct.  First  it  must  guarantee  that  no  node 
accessible  to  the  mutator  is  ever  added  to  the  free-list.  The 
second  property  is  that  if  some  node  becomes  inaccessible 
to  the  mutator  it  is  eventually  added  to  the  free-list.  The  first 
property  makes  sure  that  no  data  which  would  be  used  by 
the  user  program  is  ever  freed.  The  second  property  makes 
sure  that  there  are  no  memory  leaks  in  the  system.  We  have 
proved  that  the  first  property  holds  for  the  algorithm  using 


predicate  abstraction.  The  proof  of  correctness  needs  some 
auxiliary  graph  properties  which  arc  treated  as  axioms  by 
the  predicate  abstraction  tool. 

GJM  Abuse-Free  Contract  Signing  Protocol 

The  abuse-free  contract  signing  protocol  provides  a 
mechanism  for  signing  contracts  between  two  parties  and 
guarantees  some  correctness  properties.  A  contract  can  be 
thought  of  as  reciprocal  promises  between  the  involved  par¬ 
ties.  For  instance  if  Alice  is  buying  a  car  from  Bob  then  she 
promises  to  pay  Bob  the  negotiated  price  while  he  promises 
to  give  her  the  car. 

A  very  basic  correctness  condition  is,  fairness.  For  a  con¬ 
tract  signing  protocol  to  be  fair  it  must  be  the  case  that  after 
the  protocol  terminates  either  both  parties  have  a  contract 
or  neither  party  has  a  contract.  In  the  previous  example  if 
Alice  promi.ses  to  pay  the  price  of  the  car  she  should  have  a 
promise  from  Bob  that  he  would  give  her  the  car.  Otherwise 
the  protocol  violates  fairness. 

Other  correctness  properties  of  the  protocol  are  account¬ 
ability  and  abuse-freeness.  We  have  not  proved  these  prop¬ 
erties. 

The  protocol  we  have  studied  here  was  introduced 
in  [11].  The  protocol  depends  on  a  trusted  third  party  to 
resolve  conflicts.  The  protocol  works  in  two  phases.  In  the 
first  pha.se  the  participants  exchange  messages  and  try  to  ar¬ 
rive  at  a  contract.  If  something  goes  wrong  (cither  because 
messages  were  lost  or  because  of  foul  play)  the  trusted  third 
parly  resolves  the  contract.  The  protocol  has  been  exhaus¬ 
tively  analyzed  for  weaknesses  using  a  model  checker  [16] 
with  a  finite  number  of  concurrent  contract  signings.  A 
problem  was  discovered  during  this  and  was  fixed.  We  have 
looked  at  the  fixed  protocol  and  proved  that  it  maintains  fair¬ 
ness  with  any  number  of  concurrent  contract  signings. 

Results 

For  each  example,  the  execution  times  on  a  800MHz 
Pentium  processor  arc  reported.  In  the  table  below  the  ab¬ 
straction  time  is  the  time  required  to  compute  the  initial  ap¬ 
proximate  transition  relation.  The  model  checking  time  is 
the  lime  required  to  repeatedly  model  check  and  refine  the 
abstraction.  The  time  required  is  compared  to  the  approach 
presented  in  implicit  predicate  abstraction  [7]. 

One  reason  that  the  current  method  works  much  bet¬ 
ter  than  implicit  predicate  abstraction  is  that  it  never  has 
to  check  the  satisfiability  of  similar  expressions  repeatedly. 
To  see  why  this  can  be  a  problem  with  implicit  predicate 
abstraction  consider  the  following  example.  Assume  that 
we  have  abstraction  predicates  =  a  >  b  and  = 
b  >  a  (where  a  and  b  arc  concrete  state  variables).  It  is 
obvious  that  both  predicates  can  not  be  true  at  the  same 
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Abstraction  time 
(in  hr:min) 

Model  checking  time 
(in  min) 

GC(implicit) 

2:25 

N/A 

GC(cuiTent) 

0:09 

1 

GJM(implicit) 

24hr-i- 

N/A 

GJM(current) 

0:13 

4 

time.  In  the  implicit  abstraction  scheme,  expressions,  which 
are  unsatisfiable  because  they  are  conjunctions  containing 
(f>-i{x)  A  4>2{x),  are  checked  for  satisfiability  repeatedly.  In 
the  current  method  this  will  be  recognized  the  first  time  a 
counter-example  has  both  predicates  true.  After  that  the  ab¬ 
stract  transition  relation  will  be  suitably  modified  so  that  a 
counter-example  is  never  generated  which  has  both  predi¬ 
cates  asserted  simultaneosly. 

Another  interesting  observation  is  that  the  set  of  reach¬ 
able  abstract  states  is  usually  extremely  sparse.  So  the  cur¬ 
rent  method  will  perform  much  better  than  systems  which 
naively  compute  an  exact  abstract  transition  system. 

If  the  verification  condition  can  be  proved  with  the  pro¬ 
vided  abstraction  predicates  then  the  current  method  will  in- 
deed  be  able  to  prove  the  verification  condition.  Thus  if  the 
proof  fails  then  that  means  that  the  set  of  abstraction  pred¬ 
icates  is  not  enough  to  prove  the  verification  condition.  In 
systems  which  construct  a  weaker  abstraction,  a  failed  proof 
has  to  be  investigated  to  determine  if  the  proof  failed  be¬ 
cause  the  abstraction  predicates  are  insufficient  or  because 
the  approximation  lost  information. 

5  Conclusion 

This  paper  demonstrates  that  using  counter-example 
guided  refinement  with  predicate  abstraction  can  reduce  the 
computational  difficulty  of  formally  verifying  systems  with 
unbounded  numbers  of  states.  However,  we  have  only  done 
a  few  examples  of  any  size,  and  there  are  obviously  many 
additional  problems  that  would  need  to  be  solved  before 
predicate  abstraction  could  be  used  as  routinely  as  model 
checking  is  currently. 

The  most  obvious  issue  at  this  point  is  the  need  to  find 
good  candidate  predicates  automatically,  instead  of  requir¬ 
ing  the  user  to  provide  them.  This  problem  has  been  ad¬ 
dressed  to  some  extent  by  others  (as  discussed  in  section 
1),  but  it  is  not  clear  that  the  techniques  would  scale  up 
to  the  size  of  problems  in  the  previous  section.  Automat¬ 
ically  deriving  excessively  complex  predicates  or  too  many 
irrelevant  predicates  could  make  the  computational  part  of 
predicate  abstraction  too  difficult.  Another  important  issue 
is  how  to  find  good  candidate  predicates  containing  quan¬ 
tifiers,  which  are  needed  for  the  examples  in  the  previous 
section. 

Another  difficult  issue  is  how  to  discover  when  there  are 


design  errors.  A  good  pragmatic  step  would  be  to  model 
check  a  finite  instance  of  the  problem  before  applying  pred¬ 
icate  abstraction.  But  feasible  finite  instances  may  not  ex¬ 
hibit  the  errors  (which  is  the  motivation  for  doing  predi¬ 
cate  abstraction  in  the  first  place).  In  the  system  described 
here,  errors  will  result  in  valid  abstract  counter-examples, 
but  there  is  no  algorithmic  way  to  determine  if  these  corre¬ 
spond  to  a  concrete  counter-example,  which  is  what  the  user 
really  needs  to  determine  whether  the  problem  is  a  design 
error  or  an  inadequate  abstraction.  Of  course,  the  problem 
is  undecidable,  so  there  is  no  perfect  solution,  but  there  may 
be  good  heuristics  for  finding  useful  counter-examples. 
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Abstract 

Electronic  payment  protocols  are  designed  to  work  cor¬ 
rectly  in  the  presence  of  an  adversary  that  can  prompt  hon¬ 
est  principals  to  engage  in  an  unbounded  number  of  con¬ 
current  instances  of  the  protocol.  This  paper  establishes  an 
upper  bound  on  the  number  of  protocol  instances  needed  to 
attack  a  large  class  of  protocols,  which  contains  versions 
of  some  well-known  electronic  payment  protocols,  includ¬ 
ing  SET  and  IKP.  Such  bounds  clarify  the  nature  of  attacks 
on  and  provide  a  rigorous  basis  for  automated  verification 
of  payment  protocols. 

1.  Introduction 

Many  protocols,  including  electronic  payment  protocols, 
are  designed  to  work  correctly  in  the  presence  of  an  adver¬ 
sary  (also  called  a  penetrator)  that  can  prompt  honest  prin¬ 
cipals  to  engage  in  an  unbounded  number  of  concurrent  in¬ 
stances  of  the  protocol.  Payment  protocols  should  satisfy  at 
least  two  kinds  of  correctness  requirements:  secrecy,  which 
states  that  certain  values  are  not  obtained  by  the  penetra¬ 
tor,  and  agreement,  which  states  that  a  principal  executes 
a  certain  action  only  if  appropriate  other  principals  previ¬ 
ously  executed  corresponding  other  actions  {e.g.,  a  payment 
gateway  approves  a  charge  to  customer  U’s  account  only  if 
customer  C  previously  authorized  that  charge). 

Allowing  an  unbounded  number  of  concurrent  protocol 
instances  makes  the  number  of  reachable  states  unbounded. 
The  case  studies  in,  c.g.,  [13,6,  19,  10,  17]  show  that  state- 
space  exploration  of  security  protocols  is  feasible  when 
small  upper  bounds  are  imposed  on  the  size  of  messages 
and  the  number  of  protocol  instances.  In  most  of  those  case 
studies,  the  bounds  are  not  rigorously  justified,  so  the  results 
do  not  prove  correctness  of  the  protocols.  Rigorous  auto¬ 
mated  verification  of  these  protocols  requires  either  sym¬ 
bolic  state-space  exploration  algorithms  that  directly  ac¬ 
commodate  these  infinite  state  spaces  or  theorems  that  re¬ 
duce  correctness  of  these  protocols  to  finite-state  problems. 

This  paper  presents  a  reduction  for  a  large  class  of  pro¬ 
tocols.  It  uses  the  strand  space  model  [24].  A  regular  strand 
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can  be  regarded  as  a  thread  that  runs  the  program  corre¬ 
sponding  to  one  role  of  the  protocol  and  then  terminates.  A 
central  hypothesis  of  our  reduction  is  the  bounded  support 
restriction  (BSR),  which  states  that  in  every  history  (i.e.,  ev¬ 
ery  possible  behavior)  of  the  protocol,  each  regular  strand 
depends  on  at  most  a  given  number  of  other  regular  strands. 
Our  notion  of  dependence,  embodied  in  the  definition  of 
support,  is  a  variant  of  Lamport’s  happened-before  relation 
[15],  modified  to  handle  freshness  of  nonces  appropriately. 
BSR  is  not  easily  checked  by  static  analysis,  so  we  propose 
to  check  it  by  state-space  exploration,  while  checking  the 
correctness  requirements.  With  statically  checkable  restric¬ 
tions  alone,  it  seems  difficult  to  find  restrictions  that  are  both 
strong  enough  to  justify  a  reduction  and  weak  enough  to  be 
satisfied  by  well-known  protocols. 

To  check  BSR  by  state-space  exploration,  we  need  a  re¬ 
duction  for  it.  We  prove:  if  a  protocol  satisfies  its  correct¬ 
ness  requirements  and  BSR  when  appropriate  bounds  are 
imposed  on  the  number  of  regular  strands  in  a  history,  then 
the  protocol  also  satisfies  its  correctness  requirements  and 
BSR  without  those  bounds. 

Most  existing  techniques  for  automated  analysis  of  sys¬ 
tems  with  unbounded  numbers  of  concurrent  processes, 
such  as  [9,  11,2,3,  14],  are  not  applicable  to  payment  pro¬ 
tocols,  because  they  assume  the  set  of  values  (equivalently, 
the  set  of  local  states  of  each  process)  is  independent  of  the 
number  of  processes,  whereas  payment  protocols  generate 
fresh  values,  so  the  set  of  values  grows  as  the  number  of 
processes  (strands)  increases. 

Roscoe  and  Broadfoot  use  data-independence  techniques 
to  bound  the  number  of  nonces  needed  for  an  attack  [20]. 
Their  result  assumes  that  each  trustworthy  principal  partic¬ 
ipates  in  at  most  a  given  number  of  protocol  instances  at  a 
time.  Our  reduction  does  not  require  that  assumption;  in¬ 
deed,  our  goal  is  to  justify  such  assumptions.  Lowe’s  re¬ 
duction  [  1 6]  has  similar  goals  as  our  reduction  and  provides 
tighter  bounds  in  its  domain  of  applicability,  but  it  does  not 
handle  agreement  requirements  and  does  not  apply  to  the 
variants  of  SET  and  IKP  described  in  Section  2.1. 

The  reduction  embodied  in  Theorems  2  and  3  handles  se¬ 
crecy  and  agreement  requirements  and  applies  to  simplified 
versions  of  SET  [21]  and  IKP  [4].  It  extends  the  reduc¬ 
tion  in  [22]  in  several  significant  ways.  The  class  of  pre¬ 
served  properties  is  extended  to  allow  protocol-specific  se¬ 
crecy  properties  (roughly,  any  non-cryptographic  value  can 
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be  designated  as  a  secret)  and  to  allow  use  of  more  gen¬ 
eral  predicates  to  characterize  the  desired  relationship  be¬ 
tween  actions  in  agreement  properties.  The  class  of  proto¬ 
cols  is  extended  by  allowing  hash  functions,  allowing  ar¬ 
bitrary  nesting  of  hashing  and  encryption  in  protocol  mes¬ 
sages,  and  relaxing  the  restriction  that  the  recipient  of  a 
message  be  able  to  recognize  the  entire  structure  of  the  mes¬ 
sage.'  These  extensions  necessitate  substantial  changes  to 
the  statement  and  proof  of  Theorem  1 .  That  theorem  is  the 
crux  of  the  proof  of  our  reduction:  it  provides  a  statically- 
calculated  bound  on  a  “dynamic”  quantity  {i.e.,  a  quantity 
defined  by  a  maximum  over  all  possible  executions  of  the 
protocol);  that  quantity  is  the  dependence  width,  defined  in 
Section  4. 

Our  results  implicitly  describe  a  simulation  relation  be¬ 
tween  systems  with  bounded-size  histories  and  systems 
with  unbounded-size  histories.  It  would  be  interesting  to 
see  whether  similar  results  could  be  obtained  more  easily  in 
a  process-algebraic  framework,  such  as  Spi  calculus  [1]. 

2.  Model  of  Protocols 

Wc  use  the  strand  space  model  [24],  with  minor  modifi¬ 
cations. 

The  set  of  primitive  terms  is  Prim  =  TextU  Key,  where 
Text  is  a  set  of  values  other  than  cryptographic  keys,  and 
Key  =  {kcy{x,y)  \  x,y  £  NameAx  7^  y}[j{puh{x)  \  x  € 
Nome}  U  {/;);< (.r)  |  x  £  Name}.  Informally,  key{x,  y)  is  a 
symmetric  key  intended  for  use  by  x  and  y,  and  pub{x)  and 
pvt{x)  represent  x's  public  and  private  keys,  rc.spcctivciy, 
in  a  public-key  cryptosystem.  Name  is  the  subset  of  Text 
containing  names  of  principals.  Nonce  is  the  subset  of  Text 
containing  nonces. 

The  set  Term  of  terms  is  defined  inductively  as  follows. 
(1)  All  primitive  terms  arc  terms.  (2)  If  t  and  t'  arc  terms 
and  k  £  Key,  then  encr{t,  k)  (encryption  of  t  with  k,  usu¬ 
ally  written  {(}*■),  pair{t,t')  (pairing  of  t  and  t',  usually 
written  t-t'),  and  h{t)  (hash  of  t,  where  h  represents  a  one¬ 
way  collision-resistant  hash  function  [18])  arc  terms. 

inv  £  Key  — >  Key  maps  each  key  to  its  inverse:  de¬ 
crypting  {t}i..  with  inv(A:)  yields  t.  For  a  symmetric  key  k, 
'mv{k)  =  k.  Wc  usually  write  inv(A':)  as  k~^ . 

[A]7n/t{.r)  abbreviates  t  ■  i.e.,  t  signed  by  x. 

A  cipherte.xt  is  a  term  whose  outermost  operator  is  encr. 
A  hash  is  a  term  whose  outermost  operator  is  h.  A  term  t' 
occurs  in  the  clear  in  t  if  there  is  an  occurrence  of  t'  in  t 
that  is  not  in  the  scope  of  encr  or  h. 

Let  dom(/)  denote  the  domain  of  a  function  /.  A  se¬ 
quence  is  a  function  whose  domain  is  a  finite  prefix  of  the 
natural  numbers.  Let  len(fT)  denote  the  length  of  a  se- 

'  .Session  keys  are  not  used  in  the  examples  in  this  paper,  so  we  omitled 
them  from  the  framework.  They  can  be  handled  roughly  as  in  [22]. 


quence  a.  {(a,  b, . . .))  denotes  a  sequence  a  with  (t(0)  =  a, 
cr(l)  =  b,  and  so  on. 

A  directed  term  is  +t  or  —t,  where  f  is  a  term.  Positive 
and  negative  terms  represent  sending  and  receiving  mes¬ 
sages,  respectively.  We  sometimes  refer  to  directed  terms 
as  “terms”  and  treat  them  as  terms,  for  instance  as  having 
subterms. 

A  trace  is  a  finite  sequence  of  directed  terms.  Let  Trace 
denote  the  set  of  traces. 

A  trace  mapping  is  a  function  tr  £  dom(fr)  — >  Trace, 
where  dom(fr)  is  an  arbitrary  set  whose  elements  are  called 
strands. 

A  node  of  tr  is  a  pair  (s,  i)  with  s  £  dom((r)  and  0  < 
i  <  len((r(s)).  Let  Mtr  denote  the  set  of  nodes  of  tr.  We 
say  that  node  {s,i)  is  on  strand  s.  Let  nodeSir(s)  denote 
the  set  of  nodes  on  strand  s  in  tr.  Let  strand((s,  i))  =  s, 
indcx((.s,f))  =  f,  and  term(r((s,  i))  =  tr{s){i). 

Icl 

The  local  dependence  relation  is:  (si,zi)  ->  (52,12)  iff 
Si  =  3-2  and  1-2  =  ii  -f  1. 

A  term  t  originates  from  a  node  (s,r)  in  tr  iff  {s,i)  is 
positive,  f  is  a  subterm  of  term(r((s,  i)),  and  t  is  not  a  sub- 
term  of  tcrm(r((s,^'))  for  any  j  <  i. 

A  term  t  uniquely  originates  from  a  node  n  in  tr  iff  it 
originates  from  n  in  tr  and  not  from  any  other  node  in  tr. 
Typically,  nonces  arc  uniquely-originated.  This  is  the  strand 
space  way  of  expressing  freshness. 

For  S  C  A'(r,  let  termir(5')  =  {term(,.(n)  |  n  £  S}. 
For  symbols  subscripted  by  the  trace  mapping,  wc  elide  the 
subscript  when  the  trace  mapping  is  evident  from  context. 

2.1.  Roles,  Protocols,  and  Penetrator 

A  role  is  a  parameterized  sequence  of  directed  terms.  As¬ 
sociated  with  each  parameter  is  a  type,  i.e.,  a  set  of  allowed 
terms.  Some  parameters  with  type  Nonce  may  be  desig¬ 
nated  as  uniquely-originated;  informally,  this  means  that 
the  value  of  that  parameter  must  be  uniquely-originated. 
Uniquely-originated  parameters  arc  designated  by  underlin¬ 
ing  in  the  parameter  list.  We  require  that  for  every  role  r, 
for  every  parameter  x  of  r  with  type  Nonce,  x  is  uniquely- 
originated  iff  the  first  occurrence  of  x  in  r  is  in  a  positive 
term.  Let  r.x  denote  parameter  x  of  role  r.  For  exam¬ 
ple,  P{ijc  :  Nonce)  =  {{+nr))  defines  a  role  B  with  one 
uniquely-originated  parameter  nc  with  type  Nonce. 

A  trace  for  role  r  is  a  prefix  of  a  trace  obtained  by 
substituting  for  each  parameter  x  of  r  a  term  in  the  type 
of  X.  A  role  r  and  a  trace  cr  for  r  uniquely  determine 
a  mapping,  denoted  args{r,(j),  from  the  set  of  parame¬ 
ters  of  r  that  appear  in  r(0),  r(l), . . . ,  7-(lcn((T)  —  1)  to 
Term.  For  example,  for  role  /?(.Ti  :  Name,  .7:2  :  Name)  = 
((-|-.ri, -T.T2))  and  a  =  ((-t-.4)),  dom(nr(7.s(/?, tr))  =  {.x'l} 
and  arg.s{B.,a){xi)  =  .4. 
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A  protocol  n  is  a  set  of  roles,  together  with  a  set 
H. Secret  C  {Text  \  {Name  U  Nonce))  of  terms  that  are 
“secrets”  {i.e.,  terms  that  should  not  be  revealed  to  the  pen- 
etrator).  Excluding  names  here  implies  that  the  penetrator 
knows  all  names.  Specialized  notions  of  secrecy  are  used 
for  keys  and  nonces,  as  described  in  Section  2.5. 

The  penetrator  model  is  parameterized  by  a  set  Keyp  C 
Key  of  keys  initially  known  to  the  penetrator.  The  set 
Ilp{Keyp)  of  penetrator  roles  contains: 

Pair:  P{x  :  Term,  y  :  Term)  =  {{—x,  —y,  +x-y)) 
Separation:  S{x  :  Term,  y  :  Term)  =  {{-x-y,  +x,  +y'f) 
Encryption:  E{k  :  Key,  x  :  Term)  =  {{-k,  -x,  +{a;}fc)) 
Decryption:  D{k:Key,  x  :  Term)  =  {{-k~^ ,  -{x}fc,  +x)) 
Message:  M {x  :  Text  U  Nonce)  =  ((+a:)) 

Key:  K{k  :  Keyp)  =  {{+k)) 

Hash:  H{x  :  Term)  =  ((—a:,  +h{x))) 

Typically,  Keyp  =  {key{x,y)  G  Key  \  x  =  P  W  y  =  P} 
U  {pvtkey{P)}  U  {pubkey{x)  \  x  £  Name}. 

2.2.  History 

A  history  of  protocol  11  is  a  tuple  h  =  {tr  ,  role) , 
where  tr  is  a  trace  mapping,  is  a  binary  relation  on  Aftr, 
and  role  £  dom(tr)  (11  U  IIp{Keyp))  such  that 

1.  For  all  711,71-2  £  Aftr,  it  tii  no,  then  there  ex¬ 
ists  t  £  Term  such  that  termir(ni)  =  +t  and 
termtr(772)  =  —t.  This  represents  that  nj  sends  t, 
and  no  receives  t. 

2.  For  all  rii  £  Mtr,  if  termir(ni)  is  negative,  then  there 
exists  exactly  one  772  €  Mr  such  that  77-2  ni . 

3.  :<f,  is  acyclic  and  well-founded  (/.€.,  does  not  have  infi¬ 
nite  descending  chains),  where  ^/j  is  the  reflexive  and 
transitive  closure  of  U  ^).  Note  that  is  a 
partial  order,  first  defined  by  Lamport  [15]. 

4.  For  all  s  £  dom(ir),  tr{s)  is  a  trace  for  role{s).  A 
regular  strand  is  a  strand  s  with  role{s)  G  H.  A  pen¬ 
etrator  strand  is  a  strand  s  with  role{s)  £  Y{p{Keyp). 
Nodes  on  regular  and  penetrator  strands  are  called  reg¬ 
ular  nodes  and  penetrator  nodes,  respectively.  (For 
convenience,  we  assume  11  n  Up{Keyp)  =  0.) 

5.  For  all  s  £  dom(ir),  for  all  x  £  dom{args{role{s), 
tr{s))),  if  parameter  x  is  uniquely-originated, 
then  args{role{s),  tr{s)){x)  uniquely  originates  from 
{s,i),  where  i  is  the  index  of  the  first  term  in  r  that 
contains  x. 

6.  For  all  t  £  TL. Secret,  t  originates  only  from  regular 
nodes. 


Note  that  a  history  may  contain  multiple  traces  for  the 
same  role  with  identical  bindings  for  parameters  that  are 
not  uniquely  originated. 

To  reduce  clutter,  we  sometimes  use  a  history  instead  of  a 
trace  mapping  as  a  subscript;  e.g.,  for  a  history  h  =  {tr, 

,  role),  we  define M/j  =  Mtr- 

The  set  of  predecessors  of  a  node  77  in  a  history  h  is 
preds,j(7i)  =  {77'  G  Mft  I  7i'  77  A  77'  7^  77}. 

Let  Hist  (11)  denote  the  set  of  histories  of  a  protocol  H. 

A  set  S  of  nodes  is  backwards-closed  with  respect  to  a 
binary  relation  R  iff,  for  all  nodes  77i  and  772,  if  772  G  5  and 
77i  R  772,  then  771  G  5. 

Given  a  history  h  of  a  protocol  H,  a  set  S  of  nodes  of  h 
that  is  backward-closed  with  respect  to  can  be  regarded 
as  a  history,  denoted  nodesToHist5^(5),  in  a  natural  way. 

2.3.  Examples 

Consider  a  payment  protocol  Hset  based  closely  on  [5] 
and  reminiscent  of  SET  [21],  including  the  use  of  a  dual¬ 
signature  technique,  so  that  the  customer  produces  only  one 
digital  signature.  Let  Order  C  Text  and  PayDesc  C  Text 
denote  sets  of  order  and  payment  descriptions,  respectively. 
Let  Price  C  Text  and  Result  C  Text  denote  sets  of  prices 
and  results  {e.g.,  “approved”),  respectively.  Let  NamCc, 
Name„i,  and  Namcg  be  disjoint  subsets  of  Name  not  con¬ 
taining  P.  For  a  set  S  of  terms,  let  Hash{S)  —  {h{t)  \  t  £ 
5}.  The  roles  of  protocol  Hset  appear  in  Figure  1,  and 
Hset -5ecre<  =  0,  for  reasons  given  below.  We  use  let 
expressions  to  avoid  repetition  of  large  subterms.  We  allow 
Cust.777  =  P  and  Gate. 777  =  P  to  model  malicious  mer¬ 
chants;  similarly  for  malicious  clients  and  gateways.  There 
is  no  reason  to  allow  the  “me”  variable  of  each  role  (namely, 
Cust.c,  Mrch.7T7,  and  Gate. 5)  to  equal  P,  because  P’s  ac¬ 
tions  are  modeled  by  penetrator  strands. 

Use  of  Hash{PayDesc)  instead  of  the  set  of  all  hashes 
as  the  type  for  Mrch.hpd  requires  some  justification,  be¬ 
cause  a  merchant  cannot  determine  whether  the  hash  re¬ 
ceived  in  hpd  is  the  hash  of  a  payment  description  or,  say, 
a  ciphertext.  Attacks  involving  terms  that  are  not  of  the  ex¬ 
pected  type  are  called  type  flaw  attacks.  Use  of  the  types 
Hash{PayDesc)  and  Hash{Order)  can  be  justified  by  re¬ 
sults  like  those  in  [12],  which  show  that  type  flaw  attacks 
can  be  prevented  by  using  type  tags  in  the  protocol  imple¬ 
mentation.  Extending  their  results  to  accommodate  hashing 
and  to  accommodate  the  slightly  larger  class  of  agreement 
properties  introduced  below  is  fairly  straightforward. 

As  another  example,  consider  a  version  of  the  IKP  pro¬ 
tocol  [4]  based  closely  on  [8].  Following  [8],  we  assume 
the  customer  account  number  (CAN)  is  secret  and  hence 
(for  brevity)  omit  the  PIN.  We  also  omit  the  date  field, 
since  it  does  not  affect  the  secrecy  or  agreement  proper¬ 
ties  of  Hike  given  below,  assuming  nonces  are  uniquely- 
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Cust(c  :  NamCc,  m  :  No.me,n  U  {P},  g  :  NamCg  U  {P},  nc  :  Nonce,  nrn  :  Nonce, 
price  :  Price,  od  :  Order,  pd  :  PayDesc,  residt  :  Result)  = 
let  trans  =  c- m ■  g  nc-nm- price- h{od)-h{pd)  in 
{{+c-m,  (*  1 ,  to  merchant  *) 

—nm,  (*  2.  from  merchant  +) 

+  (*  3.  to  merchant  *) 

—  [resxdt-h{trans)\p„i(^g^)}  (*  4.  from  gateway  *) 


Mrch(c  :  NamCc  U  {P},  m  :  Name,,,,  g  :  NamCg  U  {P},  nc  :  Nonce,  nm  :  Nonce, 

price  :  Price,  od  :  Order,  hpd  :  Hash{PayDesc) ,  epd  :  Term,  resxdt  :  Result)  = 
let  trans  =  c-m-g  nc-nm-price-h{od)-hpd\n 

{{-c-m,  (+  1.  from  customer 

+nm,  (♦  2.  to  customer  +) 

-[trans]pyt{c] '  {od}puh{m) -epd,  (*  3.  from  customer  *) 

+  [trans]p„pc)-[trans]pyti,„)-e.pd,  (*  4.  to  gateway  *) 

-[result ■h{trans)]pyt{g)))  (*  5.  from  gateway  *) 


Gatc(c  :  NamCc  U  {P},  m  :  Name,,,  U  {P},  g  :  NamCg,  nc  :  Nonce,  nm  :  Nonce, 
price  :  Price,  hod  :  Hash{Order),  pd :  PayDesc,  result  :  Resxdt)  = 
let  trans  =  c  m  g  nc  nm  price-hod  h{pd)  in 

((-[trans]p^((c)-[Paas]p„j(„,)-{/;d}p„ft(,)  (*  1.  from  merchant  *) 

-i-[result-h{trans)]p„i^g)))  (*  2.  to  merchant  *) 


Figure  1.  Roles  for  Dset-  Comments  indicate  step  number  and  intended  source  or  destination  of 
message. 


originated.  Let  AcetNum  C  Text  be  a  set  of  account 
numbers.  To  model  dishonest  customers  {i.e.,  customers 
that  collude  with  the  penetrator),  we  partition  AcetNum 
into  two  sets,  AcctNxnno  and  AcctNumi,  which  contain 
account  numbers  of  honest  and  dishonest  customers,  re¬ 
spectively.  Let  Order,  Result,  Name,,,,  and  Nmncg  be  as 
above.  We  assume  these  subsets  of  Text  arc  di.sjoint.  IKP 
is  designed  for  settings  where  the  gateway  has  a  private  key 
with  a  well-known  public  key,  but  the  customer  and  mer¬ 
chant  do  not.  Consequently,  IKP  provides  few  guarantees 
if  the  gateway  is  dishonest,  so  we  do  not  include  P  in  the 
types  of  Cust.,17  and  Mrch.r?.  The  roles  of  protocol  Hiki’ 
appear  in  Figure  2,  and  IliKp. 5ecre<  =  AcetNumQ. 

2.4.  Derivability 

Informally,  a  term  t  is  derivable  (by  the  pentrator)  from  a 
set  S  of  nodes  if  the  penetrator  can  compute  t  from  tor!n(5) 
and  Keyp.  A  formal  definition  follows. 

For  a  nonce  g  that  uniquely  originates  in  a  history  h.  let 
origin/, ((;)  denote  the  node  from  which  g  originates  in  h. 

For  a  set  S  of  nodes  in  a  history  h  =  {tr, 
role)  of  a  protocol  11,  let  uniq0rigReqrdJ,'(5)  denote  the 
set  of  nonces  g  such  that  there  exists  {s,i)  G  5  and 
X  e  dom{args{role{s),  tr{s)))  such  that  parameter  x  is 


uniquely  originated  and  orgs{7'olr{s),  t.r{s))(;v)  =  g  and 
origin,,  (r/)  =  {s,i). 

For  a  directed  term  t,  the  absolute  value  of  t,  denoted 
al)s(t),  is  t  without  its  sign.  For  T  C  Term,  abs(T)  = 
{abs(/)  ]  t  €  T},  and  the  role  Sicr  is  defined  by  SrC7’(3:  : 
T)  =  ((+.r)). 

A  term  t  is  derivable  (by  the  penetrator)  from  a  set  S 
of  nodes  of  a  history  h  of  a  protocol  IT,  denoted  S  F},'  t, 

if  there  exists  a  history  h'  =  {tr' ,  ,  role')  of  the  proto¬ 

col  {Sr<’;,i,s(tpr,n,,(.S’))}  such  that:  ( I )  arguments  of  strands 
for  Message  in  h'  arc  not  in  unitiOrigRnqrd},' (S');  and  (2) 
there  exists  a  node  n  G  AV'  with  t('nn(r'(?i)  =  +t.  This 
relation  is  equivalent  to  the  derivability  relation  in  [7]  and 
can  be  computed  using  the  approach  in  [7]. 

2.5.  Correctne,ss  Requirements 

Wc  consider  the  following  kinds  of  correctness  require¬ 
ments.  For  a  correctness  requirement  (p,  wc  say  that  a  pro¬ 
tocol  n  satisfies  (f)  iff  every  history  of  11  satisfies  (f). 

Long-Term  Secrecy.  A  history  h  of  a  protocol  11  satis¬ 
fies  long-term  secrecy  iff,  for  every  t  G  U. Secret  U  {Key  \ 
Keyp)l\f,,  i/i;  t. 
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Cust(o(i  ;  Order,  price  :  Price,  saltc  :  Nonce,  ^  :  Nonce,  CAN  ;  AcctNumo, 

IDm  ■  NamCm  U  {-P},  TIDm  '■  Nonce,  nonccm  ■  Nonce,  g  :  NamCg,  YesNo  :  Result)  = 
let  cid  =  h{Rc  ■  CAN) 

and  common  =  price- IDm  -  TIDm- noncCm- cid- h{od- saltc) 
and  clear  =  IDm-  TID m- nonce m-h{common) 
and  slip  =  price -h{common)- CAN -Rq  in 

{{+saltc-cid, 

—  clear 

Ai,^lip'\p'ub{g)  7 

-  YesNo-[h{  YesNo -h{common))]p„t[g))) 


(*  1.  to  merchant  *) 

(*  2.  from  merchant  +) 
(*  3.  to  merchant  +) 

(*  4.  from  merchant  *) 


Mrch(od :  Order,  price  ;  Price,  saltc  :  Nonce,  cid  :  Hash{Nonce  x  AcctNum),  IDm  '■  NarnCm, 
TIDm  ■  Nonce,  noncCm  ■  Nonce,  g  :  NamCg,  YesNo  :  Result,  eslip  :  Term)  = 
let  common  =  price-IDm-  TIDm -noncCm- cid -h{od- saltc) 
and  clear  =  IDm-  TIDm- nonce m-h{common)  in 


{{-saltc- cid, 

-i- clear, 

—  eslip, 

-i- clear -h{od- saltc)  -  eslip, 

—  YesNo -[h{  YesNo -h{common))]pyn^g'f, 
+  YesNo -[h{  YesNo -h{common))]pyi(^g'f)) 


(*  1.  from  customer  *) 
{*  2.  to  customer  +) 

(*  3.  from  customer  *) 
(*  4.  to  gateway  +) 

(*  5.  from  gateway  +) 
(*  6.  to  customer  +) 


Gate(pnce  ;  Price,  Rc  :  Nonce,  CAN  :  AcctNum,  IDm  ■  NarnCm  U  {P}, 

TIDm  '-  Nonce,  noncCm  ■  Nonce,  g  :  NamCg,  hodsalt  :  Hash{Order  x  Nonce),  YesNo  :  Result) 
let  cid  =  h{Rc  -  CAN) 

and  common  =  price-IDm  -  TIDm-noncCm- cid -hodsalt 
and  clear  =  IDm-  TIDm- nonce m-h{common) 
and  slip  =  price  - h{common)  -  CAN  -  Rc  in 

{{-clear -hodsalt- {slip] pub(g),  (*  1.  from  merchant  *) 

YesNo -[h{YesNo-h{common))\ppt(g)))  {*  2.  to  merchant  *) 


Figure  2.  Roles  for  IIikp- 


Nonce  Secrecy.  Informally,  nonce  secrecy  says:  the  val¬ 
ues  of  specified  nonce  parameters  are  not  revealed  to 
the  penetrator.  A  nonce  secrecy  requirement  has  the 
form  “r.x  is  secret  unless  r.y  G  5”,  where  r  G  II, 
X  and  y  are  parameters  of  r,  and  S  C  Text  (typi¬ 
cally,  5  C  Name).  A  history  h  =  {tr,"^,role) 
of  a  protocol  11  satisfies  that  requirement  iff,  for  ev¬ 
ery  strand  s  G  dom(fr),  if  role{s)  =  r  and  y  G 
dom(ar5s(ro(e(s),  tr(s)))  and  args{role{s),tr{s)){y)  0 
5,  thenA/fr  l/J^  args{role{s),tr{s)){x). 

Agreement.  Informally,  agreement  says:  if  some  strand 
executed  a  certain  role  to  a  certain  point  with  certain  argu¬ 
ments,  then  some  strand  must  have  executed  a  correspond¬ 
ing  role  to  a  corresponding  point  with  corresponding  argu¬ 
ments.  An  agreement  requirement  has  the  form  “(r2,  len^) 
satisfying  a;2  ^  S2  is  preceded  by  {ri,leni)  satisfying  fi  = 
tY',  where  X2  is  a  parameter  of  r2,  S2  is  a  subset  of  Text, 


and  t\  and  ^2  are  terms  containing  parameters  of  ri  and  r2, 
respectively,  as  free  variables.  A  history  h  =  {tr,  role) 
of  a  protocol  11  satisfies  that  agreement  requirement  iff,  if  h 
contains  a  strand  S2  such  that  role{s-2)  =  r2,  len(tr(s2))  > 
len-2,  and  args{r2,tr{s2)){x2)  ^  S2,  then  tr  contains  a 
strand  si  for  role  ri  such  that  len(tr(si))  >  leui  and  ti 
instantiated  with  the  arguments  of  si  equals  tg  instantiated 
with  the  arguments  of  S2. 

One  of  Bolignano’s  requirements  for  IIset  is  that  the 
gateway  has  proof  of  transaction  authorization  by  the  mer¬ 
chant  [5,  p.  12].  This  can  be  expressed  as  an  agreement 
requirement:  (Gate,  1)  satisfying  Gate.m  ^  {P}  is  pre¬ 
ceded  by  (Mrch,  4)  satisfying 

let  transm  =  Mrch.c-Mrch.m-Mrch.nc-Mrch.nm 

•  Mrch.price  •  fi(Mrch.od)  ■  Mich.hpd 
and  tranSg  =  Gate.c-Gate.m-Gate.nc-Gate.nm 

•  Gate.price  •  Gate./iod •  /i(Gate.pd)  in 
transm  =  tranSg  A  Mrch. 5  =  Gate.g 
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This  requirement  applies  even  if  Gate.c  =  P,  i.e.,  even 
if  the  customer  is  dishonest.^  SET  is  designed  to  pro¬ 
vide  secrecy  for  order  and  payment  descriptions.  IIset 
as  defined  above  does  not  provide  such  secrecy,  becau.se, 
e.g.,  a  customer  strand  with  Cust.m  =  P  can  reveal  an 
order  description  to  the  pcnctrator.  This  is  why  we  take 
UsET-Secret  =  0.  To  express  secrecy  of  order  descrip¬ 
tions  from  gateways,  we  use  a  variant  Ilgg^  in  which  mer¬ 
chants  are  assumed  to  be  honest;  specifically,  flgp-rj,  differs 
from  IIset  as  follows:  the  type  for  Cust.m  is  7Vame,„,  and 
Secret  =  Order.  Dishonest  gateways  arc  modeled 
by  penctrator  strands  (the  types  of  Cust.g  and  Mrch.f;  con¬ 
tain  P),  so  if  order  descriptions  are  not  known  to  the  pen- 
etrator,  then  they  are  not  known  to  dishonest  gateways,  so 
they  arc  not  known  to  honest  gateways.  Secrecy  of  payment 
descriptions  from  merchants  can  be  expressed  similarly. 

Requirements  for  IKP  can  be  expressed  similarly;  for 
details,  sec  [23].  1 KP  also  has  a  nonce  secrecy  requirement: 
Cust.P,,  is  secret  unless  Cu.st.g  G  {P}. 

3.  Support 

Informally,  a  set  S'  of  nodes  of  a  history  tr  supports  a 
set  5  of  nodes  of  tr  if  S'  D  S  and  S'  contains  all  of  the  reg¬ 
ular  nodes  on  which  regular  nodes  in  S  depend.  A  formal 
definition  follows. 

For  T  C  Term,  the  set  of  nonces  that  occur  in  T  is 
noriccs(T)  =  {,<7  G  Nonce  |  G  T  :  g  occurs  in  i}. 

Let  'RN']l  denote  the  set  of  regular  nodes  in  history  h  of 
protocol  n. 

A  set  S'  of  nodes  is  a  support  for  a  set  5  of  nodes  in  a 
history  h  of  a  protocol  11  if: 

Ml,  D  S'  D  S. 

2.  S'  is  backwards-closed  with  respect  to  — 

3.  For  all  negative  nodes  n  in  S',  preds/,(n)  fl  S'  n 

1“/!'  term/,(n). 

4.  For  all  g  G  nonccs(tcrm/,  (S'))  PI  D,  where 

D  —  uniqOrigRoqrdJ;' (AO, )  \  uniqOrigRoqrd)^(S'), 

g  occurs  in  the  clear  in  term/,  (origin/,  (9)).  (This  con¬ 
dition  ensures  the  compositionality  property  expressed 
in  Lemma  2.) 

For  a  strand  s,  if  S'  supports  node.s(.s).  we  say  that  S'  sup¬ 
ports  ,s. 

-Bolignano’s  version  of  the  protocol  omits  g  from  trans  and  conse¬ 
quently  violates  the  conjunct  Mrch.i/  —  Gate,//  (in  his  presentation, 
this  conjunct  corresponds  to  st,'  .mcht. gateway  =  G  in  the  second  filter 
function  on  p.  12). 


For  example,  consider  the  following  history  of  a  generic 
payment  protocol.  Suppo.se  Sc,i,  Sm.i,  and  are  cus¬ 
tomer,  merchant,  and  gateway  strands,  respectively,  that  in¬ 
teract  without  interference  from  the  penetrator.  Let  9  be  a 
nonce  that  uniquely  originates  on  and  is  revealed  to 
the  pcnctrator  (e.g.,  the  value  of  Mrch.nm  in  IIset)-  The 
penctrator  then  behaves  as  a  merchant,  interacting  with  a 
customer  strand  5^,2  and  a  gateway  strand  Sgp,  except  that 
the  pcnctrator  uses  g  instead  of  a  fresh  nonce.  A  support  for 
■Sc, 2  or  Sp_2  need  not  contain  nodes  on  Sm.i  or  Sc  1.  In  that 
sen.se,  Sc,2  and  5^,2  do  not  depend  on  even  though  the 
chain  of  messages  that  conveys  g  means  that  there  is  causal 
dependence  between  those  nodes  in  the  classical  sense  of 
Lamport  [15].  Informally,  that  cla.ssical  dependence  can  be 
ignored  here  because  the  penetrator  could  generate  a  nonce 
g'  and  replace  g  with  g'  in  the  terms  of  nodes  on  5^,2  and 
Sg^2-  The  careful  treatment  of  unique  origination  in  the  def¬ 
inition  of  derivability  allows  such  inessential  classical  de¬ 
pendencies  to  be  ignored.  The  following  lemma  says  that  a 
support  can  be  transformed  into  a  history  by  adding  penc¬ 
trator  nodes,  without  adding  or  changing  regular  nodes. 

For  a  set  S  of  nodes,  let  strand(5)  =  {strand(7i)  |  n  G 
S}.  For  a  trace  mapping  tr,  a  strand  s  G  dom(fr),  and  a 
.set  5  of  nodes  of  tr  that  is  backwards-closed  with  respect  to 
-4,  S  contains  nodes  on  a  prefix  of  fr(.s);  let  prefixjr(s,  S) 
denote  that  prefix. 

Lemma  1.  Let  11  be  a  protocol.  If  S'  is  a  support  for  5  in  a 
history  h  —  {tr,  role)  of  11,  then  there  exists  a  history 
h'  =  {tr',  ,  role')  of  11  such  that 

(V.sGstrand(S')  :sGdom(<r')  A  ^r'(s)  =  prefixj^]®, 5') 
A  role'{s)  =  role{s)) 

A  (V.s  G  dom(ir')  \strand(5')  :  role'{s)  G  Ilp{Keyr)) 

/V/  rri  77159'.  msg  V 

A  (Vni,n-7  G  b  :  iii  112  =>  Hi  712) 

(1) 

Proof:  h'  is  constructed  by  combining  nodes  in  S  with  his¬ 
tories  that  witness  the  derivability  of  terms  (as  required  by 
item  3  in  the  definition  of  support).  For  details,  see  [23].  I 

Lemma  2.  If  Sq  and  5[  support  So  and  Si ,  respectively,  in 
a  history  h  =  {tr,  role)  of  a  protocol  11,  then  Sq  U  5J 
supports  So  U  Si  in  history  h  of  11. 

Proof:  The  only  complication  is  dealing  with  nonces 
in  uniqOrigReqrd{,’(SQ)  \  imiqOrigReqrd{,'(S()  or 
uniqOrigRcqrd{^,’(S5)  \  uniqOrigReqrd},’(So).  The  fourth 
condition  in  the  definition  of  support  ensures  that  such 
nonces  arc  available  to  the  pcnctrator  even  if  they  arc 
uniquely-originated.  For  details,  sec  [23].  I 
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3.1.  Bounded  Support  Restriction 

A  strand  count  for  a  protocol  IT  is  a  function  from  the 
roles  of  n  to  the  natural  numbers.  A  set  S  of  nodes  has 
strand  count  f  iff,  for  each  role  r,  S  contains  nodes  from 
exactly  /(r)  strands  for  r.  If  Mh  has  strand  count  /,  then 
we  say  that  history  h  has  strand  count  /.  Let  fi  (r)  =  1  for 
every  role  r.  We  define  a  partial  ordering  -<50  on  strand 
counts  for  a  protocol;  -^sc  is  simply  the  pointwise  exten¬ 
sion  of  the  standard  ordering  on  natural  numbers. 

A  history  h  satisfies  the  bounded  support  restriction,  ab¬ 
breviated  BSR,  iff  for  each  regular  strand  s  in  h,  there  exists 
a  support  for  sink  with  strand  count  at  most  fi .  A  protocol 
satisfies  BSR  iff  all  of  its  histories  do. 

IIsET  and  IIiKp  satisfy  BSR.  We  proved  these  re¬ 
sults  manually;  the  proofs  are  similar  to  the  proof  in  [22] 
for  Lowe’s  corrected  version  of  the  Needham-Schroeder 
public-key  authentication  protocol.  Theorem  2  in  Section 
5  shows  that  in  principle,  these  results  can  be  obtained 
automatically  by  state-space  exploration  of  histories  with 
bounded  strand  counts;  an  algorithm  like  the  one  in  [22] 
can  be  used  to  compute  a  (small)  support  for  a  given  set  of 
nodes.  The  current  bounds  probably  need  to  be  decreased 
somewhat  before  this  is  feasible,  e.g.,  by  finding  a  tighter 
bound  on  the  dependence  width  (see  Section  4). 

4.  Dependence  Width 

Informally,  the  dependence  width  of  a  negative  term  r{i) 
in  a  role  r  of  a  protocol  11,  denoted  DW’((r,  i),  IT),  is  the 
maximum  number  of  “additional”  positive  regular  nodes 
needed  in  any  history  /i  of  11  to  provide  the  penetrator  with 
enough  knowledge  to  produce  the  term  received  by  any 
node  {s,i)  of  h  such  that  role{s)  =  r.  “Additional”  here 
means  “beyond  those  needed  for  the  penetrator  to  produce 
negative  terms  that  occur  earlier  in  the  same  strand”.  The 
dependence  width  of  a  protocol  11,  denoted  DW(n),  is  the 
maximum  over  all  negative  terms  r{i)  in  roles  r  in  11  of 
DW ( (r,  i) .  n) .  The  concept  of  dependence  width  is  used  in 
the  proof  of  Theorem  2  in  Section  5  to  bound  the  number  of 
strands  involved  in  a  violation  of  BSR. 

Let  n  be  a  negative  node  of  a  history  h  of  a  protocol  H, 
and  let  f  be  a  subterm  of  term/j(n).  A  revealing  set  for  t 
at  n  in  h  is  a  set  5  of  positive  regular  nodes  of  tr  such  that 
S  C  preds,j(n)  and  S  h];'  t. 

For  a  set  S  of  numbers,  let  min(5)  and  max(5)  denote 
the  minimum  and  maximum  element  of  5,  respectively.  We 
define  min(0)  =  0  and  max(0)  =  0. 

The  revealing  set  min-size  of  t  at  {s,  i)  in  h  is 

rvlSetMinSz(L  {s,  i),h)  = 
min({size(i?  \  nodesft(s))  I  (2) 

i?  is  a  revealing  set  for  t  at  (s,  i)  in  h}) 


Nodes  in  R  that  are  on  the  same  strand  as  n  are  not 
counted  in  the  revealing  set  min-size  (and  hence  not  in 
the  dependence  width),  because  in  the  proof  of  Theorem 
2 — specifically,  in  equation  (5) — those  nodes  appear  in 
support)^^  (.So)  and  hence  are  excluded  from  the  index  set  of 
the  rightmost  union,  and  the  dependence  width  is  designed 
to  bound  the  size  of  that  index  set. 

Note  that,  if  there  are  no  revealing  sets  for  t  at  n  in  h 
{i.e.,  t  is  not  known  to  the  penetrator  at  that  point),  then 
rvlSetMmSz(Ln, /i)  =  0. 

Let  r  be  a  role  in  a  protocol  11,  and  let  i  be  the  index  of  a 
negative  term  in  r.  The  dependence  width  of  (r,  i)  in  II  is 

DW((r,i),n)  = 

max({rvlSetMinSz(termir((s,r)),  (s,i),  role))  \ 

{tr,  role)  G  Hist(n)  A  (s,  i)  G  A/jr 
A  role{s)  =  r}) 

(3) 

The  dependence  width  of  a  protocol  11  is 

DW(n)  =  max({DW((r, i), H)  |  (4) 

r  G  n  A  r{i)  is  a  negative  term}) 

The  proof  of  Theorem  2,  and  therefore  also  the  proof 
of  Theorem  3,  rely  on  an  upper  bound  on  the  dependence 
width  of  the  protocol.  If  the  protocol  might  send  terms 

of  the  forms  {g}k,,  {k2}k3 .  {ki-i}ki,  h, 

then  i  +  \  terms  are  needed  to  reveal  g  to  the  penetrator. 
Our  long-term  secrecy  requirement  prohibits  such  behavior. 
Secrecy-limited  dependence  width,  abbreviated  SL  depen¬ 
dence  width  and  denoted  DWsl.  is  defined  in  the  same  way 
as  dependence  width,  except  that  the  maximum  over  histo¬ 
ries  is  restricted  to  histories  satisfying  long-term  secrecy. 

Let  n  be  a  protocol,  and  let  f  be  a  term,  possibly 
containing  parameters.  nSecreto(f,  11)  is  a  bound  on  the 
number  of  subterms  of  t  that  are  not  known  to  the  pene¬ 
trator,  ignoring  keys  and  values  of  parameters;  formally, 
nSecreto(L  n)  =  -f-  Nprim,  where  Nc  is  the 

number  of  subterms  of  t  whose  outermost  operator  is  encr, 
ignoring  those  whose  second  argument  is  always  in  Keyp 
(based  on  parameter  types),  Nh  is  the  number  of  subterms 
of  t  with  outermost  operator  h,  and  Nprim  is  the  number  of 
elements  of  NonceKJJl.  Secret  that  occur  in  t.  In  computing 
Nc  and  Nh,  identical  subterms  are  counted  only  once.  For 
a  parameter  r.x  of  a  role  r  of  11,  nSecret(r.a:,  11)  = 
max({nSecreto(L  11)  1  f  is  in  the  type  of  r.x}). 

Let  nSecret((r,  r),  n)  =  nSecreto(r’(i),  11)  -1- 

E^eparams(r-(»))nSecret(r.a:,n),  where  params(f)  is 
the  set  of  parameters  that  occur  in  t. 

Theorem  1.  Let  r{i)  be  a  negative  term  in  a  role  r  of  a 
protocoin.  DWsl((?’i *), n)  <  nSecret((r, i), n). 

Proof:  Consider  a  strand  s  for  r  in  a  history  h  for 
n.  We  consider  each  subterm  ti  of  term/t((s, i)) 


67 


and  show  that  each  hash,  ciphertext,  and  element 
of  uniqOrigReqrd{^(A'/,)  U  W. Secret  that  occurs  in 
term/j((s, i))  contributes  at  most  1  to  DWsl((^’, *), H). 
The  number  of  such  subterms  is  bounded  by 
nSecret((7-, •<},  IT).  Other  subterms  contribute  nothing. 
The  definition  of  dependence  width  implies  that  terms 
not  derivable  by  the  penetrator  contribute  nothing  to  the 
dependence  width  (because  such  terms  have  no  revealing 
sets),  so  in  computing  the  bound,  we  conservatively  assume 
all  subterms  arc  derivable  by  the  penetrator.  Consider  ca.ses 
based  on  the  type  of  ti . 

case  1;  G  Key.  Long-term  secrecy  implies  that  no  keys 
are  revealed,  so  keys  contribute  nothing  to  DWsl  ((r,  i),  11). 

case  2:  t\  G  uriiqOrigReqrdj^(A^/,)  U  Yl. Secret.  The  def¬ 
inition  of  history  implies  that  ti  originates  from  a  regu¬ 
lar  node  in  h  and  (according  to  the  conservative  assump¬ 
tion  di.scussed  above)  is  derivable  by  the  penetrator  (using 
strands  for  Separation  and  Decryption),  so  there  is  a  posi¬ 
tive  regular  node  n  such  that  t\  occurs  in  term/,  (n)  cither  in 
the  clear  or  encrypted  only  with  keys  known  to  the  pcnctra- 
tor.  Long-term  secrecy  implies  that  those  keys  (if  any)  arc 
in  Keyp.  Thus,  ti  is  derivable  from  {n},  so  t\  contributes 
atmo.st  1  to  DWsi.((r,  i),  n). 

case  3:  ti  G  7’ea;^\(uniqOrigReqrd5)' (A'), )U IT. Secret)-  <i 
is  directly  available  to  the  penetrator  through  the  Mes.sagc 
role,  so  t\  contributes  nothing  to  DWsl((7', *)>  n). 

case  4:  ti  is  a  pair.  Revealing  a  pair  is  equivalent  to  reveal¬ 
ing  its  two  components,  so  proper  subterms  of  ti  contribute 
to  DWsL({r,  (),  n),  but  t\  itself  does  not. 

case  5:  ti  is  a  ciphertext  or  hash,  and  <i  originates  from  a 
penetrator  node  in  preds^((s,  i)).  The  penetrator  performs 
the  encryption  or  hashing  to  construct  its  copy  of  <i,  so 
proper  subterms  of  ti  contribute  to  DWsL((r,  *),  IT),  but 
ti  itself  does  not. 

case  6:  ti  is  a  ciphertext  or  hash,  and  ti  does  not  originate 
from  a  penetrator  node  in  preds,, ((s, i)).  Then  ti  origi¬ 
nates  from  a  regular  node,  and  the  argument  is  the  same 
as  in  case  2,  Note  that  it  is  not  necessary  for  proper  sub¬ 
terms  of  <1  to  contribute  to  DWsl((?’,  i),  H).  Our  bound  on 
DWsl((7',  *),  n)  might  be  loose  because  it  docs  not  attempt 
to  exploit  this  observation;  exploiting  it  is  left  for  future 
work. 

Now  we  justify  ignoring,  in  the  definition  of  in 
nSccrcto,  occurrences  of  encr  whose  second  argument  is 
always  in  Keyp.  Let  {f'}*-  be  such  a  ciphertext. 

case  1:  0  h)’  t'\  in  other  words,  t'  contains  no  se¬ 
crets.  Then  0  h))  so  {f'}A  contributes  nothing  to 

DWsL((r,7).n). 


case  2;  0  l/J/  t'\  in  other  words,  t'  contains  one  or  more 
secrets.  Thus,  subterms  of  t'  contribute  at  least  1  to  our 
bound  on  DW  sL((A0>n). 

case  2.1:  prods,,  ((.s,  i))  h),’  The  penetrator 
can  perform  the  encryption  to  construct  its  copy 
of  {f'}A>  so  proper  subterms  of  {<'}a  contribute  to 
DWsL((r,  i),  n),  but  {^'Ia  itself  docs  not,  so  ignor¬ 
ing  {^'}A  in  is  safe. 

case  2.2:  prods,, ((.s,  ())  t' .  The  ciphertext  {i'}A 
must  originate  from  a  regular  node  and  be  revealed  to 
the  penetrator.  The  ciphertext  actually  contributes  1  to 
DWsl((7’,  j)i  n)  {cf.  case  6  above),  and  its  subterms 
actually  contribute  nothing.  Our  bound  counts  0  from 
the  ciphertext  but  counts  at  least  1  from  subterms  of  t' . 
Thus,  although  the  bookkeeping  might  seem  skewed, 
the  sum  of  the  contributions  is  sufficient.  I 

We  simplify  IIsfct  and  Rikp  as  follows.  Parameters 
epd  and  e.'ilip  arc  used  to  forward  messages  in  a  trivial  way 
(specifically,  all  occurrences  of  these  parameters  arc  unen¬ 
crypted),  and  TID,„  is  redundant  because  it  always  appears 
together  with  nonce,,,.  Thus,  eliminating  these  parameters 
has  no  impact  on  correctness.  Let  fig,.-,-  and  refer 

to  versions  of  the  protocols  in  which  these  parameters  have 
been  eliminated.  Theorem  1  implies  DWsi.jllgijrj,)  <  G 
and  DWsi,(n',,,^p)  <  7.  In  both  protocols,  the  first  term  of 
Gate  has  the  largest  dependence  width. 

The  bound  on  DWsi,  provided  by  Theorem  I  can  some¬ 
times  be  decreased  by  replacing  a  negative  term  of  the  form 
—ti  -t-y  in  a  role  with  the  sequence  of  terms  — fi,  —t2.  For 
example,  let  Ilgp-p  denote  the  protocol  obtained  from  Ilgp;-,. 
by  splitting  the  first  term  of  Gate  into  a  sequence  of  three 
terms.  Theorem  1  implies  DWsl (Ilg^j-j.)  <  5.  This  trans¬ 
formation  preserves  all  correctness  requirements,  provided 
the  lengths  in  agreement  requirements  arc  adjusted  appro¬ 
priately. 

5.  Reduction  for  BSR  and  Long-Term  Secrecy 

The  following  lemma  says,  roughly,  that  constructing  a 
history  h'  from  a  support  S'  of  a  set  S  of  nodes  of  a  history 
h  docs  not  create  new  supports  for  5. 

Lemma  3.  Suppose  Sq  supports  S  in  a  history  h  of  a  pro¬ 
tocol  n.  Let  /('  be  a  history  of  R  whose  existence  is  implied 
by  Lemma  1  applied  to  5q.  Suppose  Si  supports  5  in  his¬ 
tory  h'  of  n.  Then  Si  ft  supports  S  in  history  h  of 

n. 

Proof:  The  proof  is  similar  to  that  of  Lemma  3  in  [22].  I 

For  a  protocol  11,  define  a  strand  count  P{Y\)  by 
l3{U){r)  =  DWsLin)  +  1. 
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Theorem  2.  A  protocol  11  satisfies  BSR  and  long-term  se¬ 
crecy  iff  all  histories  of  II  with  strand  count  ^(E)  do. 

Proof:  The  forward  direction  (=>)  of  the  “iff”  is  easy.  For 
the  reverse  direction  (<=),  we  prove  the  contrapositive,  i.e., 
we  suppose  there  exists  a  history  h  of  E  that  violates  BSR 
or  long-term  secrecy,  and  we  construct  a  history  of  E  with 
strand  count  at  most  |8(E)  that  violates  the  same  property. 

BSR  and  long-term  secrecy  are  safety  properties  satisfied 
by  histories  with  zero  nodes,  and  :</j  is  well-founded,  so 
there  exists  a  :</i-minimal  node  no  such  that 

1.  nodesToEist5^(preds^(no))  satisfies  BSR  and  long¬ 
term  secrecy. 

2.  nodesToEist^(preds^(no))  U  {no}  violates  BSR  or 
long-term  secrecy. 

Let  ho  =  nodesToHist5}(preds;;(no)).  Let  so  = 
strand(no)  and  io  =  index(no).  Note  that  in  ho,  so  does 
not  include  no.  For  a  strand  s  in  a  history  h'  that  satis¬ 
fies  BSR,  let  support /j,  (s)  denote  a  support  for  s  in  h'  with 
strand  count  at  most  fi.  The  definitions  of  BSR  and  long¬ 
term  secrecy  imply  no  is  a  regular  node.  Consider  cases 
based  on  the  sign  of  no. 

case:  no  is  a  negative  node,  no  cannot  cause  a  violation 
of  secrecy,  so  it  causes  a  violation  of  BSR.  Suppose  io  >  0. 
no  directly  depends  on  (so,io  —  1)  and  on  a  revealing  set 
R  for  term(no)  at  no  in  h;  more  precisely,  for  all  S',  if  S' 
supports  {(so;*o  —  1)}  U  i?  in  h,  then  S'  U  {no}  supports 
{no}  in  h.  ho  satisfies  long-term  secrecy,  so  Theorem  1 
implies  size(i?  \  nodes/io(so))  <  DWsl(E).  Let 

Si  =  {no}  U  supportft^(so) 

U  U„6n\nodes,.„(so)  support^^  (strand(n)). 

(5) 

ho  satisfies  BSR,  so  each  of  the  supports  in  (5)  has  strand 
count  at  most  fi,  so  Si  has  strand  count  at  most  /3(E)  (note 
that  no  is  on  So  1  so  {no}  U  support/jjj(so)  contributes  at 
most  /i  to  the  strand  count  of  5i). 

Lemma  2  implies  that  5i  \{no}  supports  {{so,io-l)}U 
R  in  h;  thus,  Si  supports  {no}  in  h.  Lemma  1  implies  that 
Si  can  be  transformed  into  a  history  hi  of  E  by  adding  pen- 
etrator  nodes.  Adding  penetrator  nodes  does  not  affect  the 
strand  count,  so  hi  has  strand  count  at  most  ,0(E).  We  show 
by  contradiction  that  no  also  causes  a  violation  of  BSR  in 
hi.  Suppose  no  does  not  cause  such  a  violation.  Then  there 
exists  a  support  S'  for  {no}  in  hi  with  strand  count  at  most 
fi-  Lemma  3  implies  that  S'  fl  is  a  support  for  {no} 

in  h  with  strand  count  at  most  fi,  a  contradiction. 

Suppose  io  =  0.  The  proof  is  similar  to  the  case 
io  >  0,  except  no  does  not  depend  on  the  non-existent  node 
(so,  io  —  1),  so  we  omit  support^j^^  (sq)  from  the  definition 
of  Si,  and  Lemma  Lemma  2  implies  that  Si  \  {no}  supports 
R'lnh. 


case:  no  is  a  positive  node,  no  cannot  cause  a  vio¬ 
lation  of  BSR,  so  it  causes  a  violation  of  long-term  se¬ 
crecy.  preds;j(no)  satisfies  long-term  secrecy,  so  there  is 
some  t  €  H. Secret  U  {Key  \  Keyp)  such  that  t  appears  in 
term/j(no)  either  in  the  clear  or  encrypted  only  with  keys 
in  Keyp.  Suppose  io  >  0.  Let  So  =  support^^ (so) 
and  Si  —  {no}  U  5o.  ho  satisfies  BSR,  so  So  and  5i 
have  strand  count  at  most  fi  (note  that  no  is  on  so,  and 
So  €  strand(5o),  so  no  does  not  increase  the  strand  count 
of  5i).  5i  can  be  transformed  into  a  history  hi  by  adding 
penetrator  nodes;  this  follows  from  Lemma  1  and  the  obser¬ 
vation  that  no  is  positive  and  is  an  immediate  successor  of 
the  last  node  on  so  in  ho.  It  is  easy  to  show  that  adding  pen¬ 
etrator  nodes  does  not  change  the  strand  count  or  destroy 
the  violation  of  long-term  secrecy.  Thus,  hi  is  a  history  of 
E  with  strand  count  at  most  /3(E)  that  violates  long-term 
secrecy.  Suppose  io  =  0.  Then  preds^(no)  =  0,  and  the 
history  containing  only  node  no  has  strand  count  at  most  fi 
and  violates  long-term  secrecy.  I 

6.  Reduction  for  Nonce  Secrecy  and  Agree¬ 
ment 

Define  a  strand  count  /2  by:  f-zir)  =  2  for  every  role  r. 

Theorem  3.  Let  ^  be  a  nonce  secrecy  or  agreement  re¬ 
quirement,  Suppose  all  histories  of  a  protocol  E  with  strand 
count  ,3(E)  satisfy  BSR  and  long-term  secrecy.  E  satisfies 
(j)  iff  all  histories  of  E  with  strand  count  f-2  do. 

Proof:  The  forward  direction  (=>)  of  the  “iff”  is  easy.  For 
the  reverse  direction  (<;=),  we  prove  the  contrapositive,  i.e., 
we  suppose  there  exists  a  history  h  =  {tr,  role)  of  E 
that  violates  (p,  and  we  construct  a  history  of  E  with  strand 
count  at  most  /2  that  violates  (p.  Nonce  secrecy  and  agree¬ 
ment  requirements  are  safety  properties  satisfied  by  histo¬ 
ries  with  zero  nodes,  and  ^/j  is  well-founded,  so  there  exists 
a  ^/,-minimal  node  no  such  that 

1.  nodesToEist5^(preds^(no))  satisfies  (p. 

2.  nodesToBist)}(preds;j(no))  U  {^o}  violates  (p. 

Let  So  =  strand(7io). 

By  hypothesis,  all  histories  of  E  with  strand  count  /3(E) 
satisfy  BSR  and  long-term  secrecy,  so  Theorem  2  implies 
that  E  satisfies  BSR.  For  s  G  dom(/i),  let  support;, (s)  de¬ 
note  a  support  for  s  with  strand  count  at  most  fi . 

Suppose  0  is  a  nonce  secrecy  requirement,  cp  has  the 
form  “r.x  is  secret  unless  r.y  6  5”.  no  is  a  posi¬ 
tive  regular  node,  and  there  is  a  regular  strand  Sg  such 
that  args{role{sg),tr{sg)){y)  ^  5  and  preds;,(no)  \/h 
g  and  preds;,(no)  U  {no}  h)}  g,  where  g  = 
args{role{s),  tr{s)){x).  By  the  same  reasoning  as  in  case 
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2  of  the  proof  of  Theorem  1,  this  implies  that  {no}  1“}^  g. 
Let  5i  =  support,, (so)  U  support,, (sg).  Lemma  2  implies 
that  S\  is  a  support  for  nodes/, (so)  Ll  nodes/, (sp).  Lemma 
1  implies  that  Si  can  be  transformed  into  a  history  hi  by 
adding  penetrator  nodes.  Note  that  S\  and  hi  have  strand 
count  at  most  /2.  It  is  easy  to  see  that  no  cau.ses  a  violation 
of  nonce  secrecy  in  hi . 

Suppose  0  is  an  agreement  requirement.  0  has  the  form: 
“(r2,Ien2)  satisfying  a/o  ^  S2  is  preceded  by  (7'i,Ieni)  sat¬ 
isfying  ti  —  t'i”.  no  causes  a  violation  of  0,  so  .Sq  is  a  strand 
for  r2  and  args{r2,tr{s2)){x2)  0  S2  and  index(Tro)  = 
len2.  Lemma  1  implies  that  support,,(so)  can  be  trans¬ 
formed  into  a  history  ho  of  11  with  strand  count  at  most 
/i .  Note  that  no  G  jV/,^ .  Removing  nodes  in  Mh  \  Muq 
and  adding  penetrator  nodes  preserve  the  lack  of  a  node 
(si,  lerii)  such  that  role{si)  =  ri  and  such  that  ti  instan¬ 
tiated  with  the  arguments  of  si  equals  ^2  in.stantiatcd  with 
the  arguments  of  so.  Thus,  Iiq  violates  0. 1 
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Abstract 

The  inference  problem  for  propositional  circumscrip¬ 
tion  is  known  to  be  highly  intractable  and,  in  fact,  harder 
than  the  inference  problem  for  classical  propositional  logic. 
More  precisely,  in  its  full  generality  this  problem  is  - 
complete,  which  means  that  it  has  the  same  inherent  com¬ 
putational  complexity  as  the  satisfiability  problem  for  quan¬ 
tified  Boolean  formulas  with  two  alternations  (universal- 
existential)  of  quantifiers.  We  use  Schaefer’s  framework  of 
generalized  satisfiability  problems  to  study  the  family  of  all 
restricted  cases  of  the  inference  problem  for  propositional 
circumscription.  Our  main  result  yields  a  complete  classifi¬ 
cation  of  the  “truly  hard"  (U^ -complete)  and  the  “easier” 
cases  of  this  problem  (reducible  to  the  inference  problem 
for  classical  propositional  logic).  Specifically,  we  establish 
a  dichotomy  theorem  which  asserts  that  each  such  restricted 
case  either  is  -complete  or  is  in  coNP.  Moreover,  we  pro¬ 
vide  efficiently  checkable  criteria  that  tell  apart  the  “truly 
hard”  cases  from  the  “easier”  ones. 


1  Introduction  and  Summary  of  Results 

During  the  past  three  decades,  researchers  in  artificial  in¬ 
telligence  have  investigated  in  depth  various  formalisms  of 
nonmonotonic  reasoning.  Circumscription,  introduced  by 
McCarthy  [McC80],  is  perhaps  the  most  well-known  and 
extensively  studied  such  formalism.  It  enjoys  high  expres¬ 
sive  power  and  thus  is  suitable  for  modeling  a  wide  variety 
of  problems  requiring  nonmonotonic  reasoning.  Moreover, 
propositional  circumscription  has  been  shown  by  Gelfond  et 
al.  [GPP89]  to  coincide  with  reasoning  under  the  extended 
closed  world  assumption  (ECWA),  which  is  one  of  the  main 
formalisms  for  reasoning  with  incomplete  information. 
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A  fundamental  problem  in  every  logical  formalism  is  in¬ 
ference,  i.e.,  the  problem  of  deciding  whether,  given  two 
formulas  ip  and  t/t,  the  formula  ip  can  be  inferred  from  ip  in 
the  context  of  the  logical  formalism  at  hand.  Intuitively,  p 
represents  a  knowledge  base,  while  ip  represents  a  statement 
that  we  are  interested  in  deciding  whether  it  can  be  inferred 
from  the  knowledge  base.  In  the  case  of  classical  proposi¬ 
tional  logic,  inference  amounts  to  tautological  implication 
p  \=  Ip,  i.e.,  to  the  problem  of  deciding  whether  ip  is  sat¬ 
isfied  by  every  truth  assignment  that  satisfies  p.  Conse¬ 
quently,  inference  in  classical  propositional  logic  is  a  coNP- 
complete  problem  and  thus  considered  to  be  intractable.  In 
the  case  of  propositional  circumscription,  inference  turns 
out  to  have  even  higher  inherent  computational  complex¬ 
ity.  Indeed,  as  shown  by  Eiter  and  Gottlob  [EG93],  the 
inference  problem  for  propositional  circumscription  is  II^ - 
complete.  Recall  that  the  class  II^  constitutes  the  second 
level  of  the  polynomial  hierarchy  PH  and  thus  contains  both 
NP  and  coNP  as  subclasses.  Moreover,  the  prototypical  IIj - 
complete  problem  is  -Sat,  i.e.,  the  satisfiability  problem 
for  quantified  Boolean  formulas  of  the  form  'ix3y6{x,y), 
where  x,  y  are  tuples  of  propositional  variables  and  6{x,  y) 
is  a  CNF-formula  (see  [Pap94]). 

Classical  propositional  logic  is  concerned  with  all  mod¬ 
els  of  a  given  formula,  i.e.,  with  all  truth  assignments  that 
satisfy  the  formula.  In  contrast,  propositional  circumscrip¬ 
tion  is  concerned  with  the  minimal  models  of  a  given  for¬ 
mula,  i.e.,  with  those  satisfying  truth  assignments  for  which 
there  is  no  smaller  satisfying  truth  assignment  with  respect 
to  the  coordinate-wise  partial  order  between  truth  assign¬ 
ments.  Consequently,  in  its  full  generality,  the  inference 
problem  for  propositional  circumscription  can  be  stated  as 
follows:  given  two  CNF-formulas  p  and  ip,  is  ip  true  in  ev¬ 
ery  minimal  model  of  pi  A  moment’s  reflection  reveals 
that  this  problem  is  polynomial-time  equivalent  to  the  spe¬ 
cial  case  in  which  ip  is  simply  a  clause  (i.e.,  a  disjunction  of 
literals),  since  ip  can  be  inferred  from  p  under  propositional 
circumscription  if  and  only  if  each  clause  of  ip  can  be  so  in¬ 
ferred.  Moreover,  Eiter  and  Gottlob  [EG93]  established  that 
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the  inference  problem  for  propositional  circumscription  re¬ 
mains  0-2 -complete  even  when  (/3  is  a  3CNF-formula  and 
the  clause  ip  consists  of  a  single  negated  variable. 

Are  there  restricted  classes  of  propositional  formulas  on 
which  the  inference  problem  for  propositional  circumscrip¬ 
tion  has  complexity  lower  than  II^ -complete?  To  make 
this  question  precise,  one  can  consider  restrictions  on  both 
the  formulas  representing  knowledge  bases  and  the  formu¬ 
las  representing  statements  to  be  inferred.  Since  clauses 
arc  the  syntactically  simplest  propositional  formulas,  it  is 
natural  to  consider  restrictions  on  the  formulas  represent¬ 
ing  knowledge  bases  only.  Thus,  for  every  class  T  of 
propositional  formulas,  we  let  iNF-ClRC(J^)  denote  the  fol¬ 
lowing  decision  problem:  given  a  formula  ^  T  and  a 
clause  t}i,  is  ?/;  true  on  every  minimal  model  of  ip'l  The 
question  then  is  to  analyze  the  computational  complexity 
of  iNF-ClRC(J')  for  different  classes  T  of  propositional 
formulas  and  identify  classes  T  for  which  the  complexity 
of  Inf-Circ(,7^)  is  lower  than  II^ -complete.  Even  before 
the  nl'  -completeness  of  the  full  problem  was  c.stablishcd, 
this  question  was  studied  by  Cadoli  and  Lenzerini  [CL94], 
where  iNF-ClRC(J')  was  shown  to  be  in  P  or  to  be  coNP- 
complete  for  several  different  classes  T  of  propositional 
formulas.  Specifically,  Cadoli  and  Lenzerini  observed  that 
if  a  class  T  of  propositional  formulas  is  such  that  testing 
satisfying  truth  assignments  for  minimality  is  in  polyno¬ 
mial  time,  then  iNF-ClRC(J')  is  in  coNP.  Since  minimality 
testing  is  in  polynomial  time  for  the  classes  of  Horn  for¬ 
mulas,  dual  Horn  formulas  and  2CNF-formula.s.  it  follows 
that  Inf-Circ(,F)  is  in  coNP,  when  T  is  one  of  these  three 
classes.  Moreover,  if  T  is  the  class  of  all  Horn  formulas, 
then  Inf-Circ(J^)  is  solvable  in  polynomial  time,  since  ev¬ 
ery  satisfiablc  Horn  formula  has  a  minimum  (unique  mini¬ 
mal)  model  that  can  be  computed  in  polynomial  time.  In 
[CL94],  it  was  also  proved  that  lNF-ClRC((r)  is  actually 
coNP-complete,  when  T  is  the  class  of  all  dual  Horn  for¬ 
mulas  or  the  class  of  all  2CNF-formulas. 

The  aforementioned  results  identify  several  interesting 
cases  where  the  complexity  of  the  inference  problem  in 
propositional  circumscription  is  lower  than  ITo -complete. 
Nonetheless,  they  do  not  provide  a  complete  classification 
of  the  “truly  hard”  (II^ -complete)  and  the  “easier”  cases 
of  this  problem.  In  particular,  except  for  the  class  of  all 
CNF-formulas  and  the  class  of  all  3CNF-formulas,  no  other 
interesting  classes  T  of  propositional  formulas  for  which 
Inf-Circ(JF)  is  n.2 -complete  were  known  prior  to  the 
work  reported  here.  This  should  be  contrasted  with  the 
state  of  affairs  concerning  the  complexity  of  the  inference 
problem  for  classical  propositional  logic,  where  a  com¬ 
plete  classification  can  be  derived  from  the  pioneering  work 
by  Schaefer  [Sch78]  on  the  complexity  of  Generalized 
Satisfiability  problems.  In  order  to  describe  Schaefer’s 
work  and  relate  it  to  the  inference  problem,  we  need  to  in¬ 


troduce  some  terminology  and  notation. 

A  logical  relation  (or  generalized  connective)  R  is 
a  non-empty  subset  of  {0,1}*',  for  some  k  >  1.  If 
S  =  {Ri, . . . ,  R,n,  ■  ■  ■}  is  a  set  of  logical  relations, 
then  an  .F(5)-formula  is  a  conjunction  of  expressions 
(called  generalized  clauses  or,  simply,  clauses)  of  the  form 
R,(ari .X);),  where  each  R,  is  a  relation  symbol  repre¬ 
senting  the  logical  relation  /?;  in  S  and  each  xj  is  a  Boolean 
variable.  Furthermore,  an  jrQ(5)-formula  is  a  formula  ob- 
trained  from  an  J^(5)-formula  by  substituting  some  of  the 
variables  by  the  constant  symbols  0  and  1.  Each  set  5 
of  logical  relations  gives  rise  to  the  following  GENERAL¬ 
IZED  Satisfiability  problem  Satc'(5):  given  an  J^c{S)- 
formula  ip,  is  ip  satisfiable?  In  a  similar  manner,  one  ob¬ 
tains  the  family  of  Sat(S)  problems  by  considering  .2^(5)- 
formulas.  instead  of  JFf(5)-formulas. 

In  [Sch78],  four  conditions  were  isolated  and  the  follow¬ 
ing  remarkable  classification  theorem  for  the  family  of  all 
Generalized  Satisfiability  problems  Satc(5)  was 
established:  if  the  set  S  satisfies  at  least  one  of  these  four 
conditions,  then  SaTc:(5)  is  solvable  in  polynomial  time; 
otherwise,  SaTc  (5)  is  NP-complete,  These  four  conditions 
arc:  (1)  every  relation  in  5  is  the  set  of  models  of  a  Horn 
formula;  (2)  every  relation  in  S  is  the  set  of  models  of  a  dual 
Horn  formula;  (3)  every  relation  in  S  is  the  set  of  models  of 
a  2CNF  formula;  (4)  every  relation  in  5  is  the  set  of  models 
of  an  affine  formula,  i.c.,  a  conjunction  of  formulas  built  us¬ 
ing  the  0  (exclusive  or)  connective.  It  should  be  noted  that 
each  of  these  conditions  turned  out  to  be  efficiently  check¬ 
able.  Schaefer  also  obtained  a  classification  theorem  for 
the  family  of  Sat(5)  problems,  which  involves  two  addi¬ 
tional  conditions  that  trivially  give  rise  to  polynomial-time 
.solvable  Sat(5)  problems.  Note  that  the  NP-compIctcncss 
of  PO.SITIVE  I-In-3-Sat,  Not-All-Equal  3-Sat  and 
other  well  known  variants  of  Sat  is  an  immediate  conse¬ 
quence  of  Schaefer’s  results.  Morover,  the  above  results 
constitute  the  first  instance  of  a  dichotomy  theorem  for  a 
family  of  decision  problems  in  NP,  i.e.,  results  that  con¬ 
cern  an  infinite  family  C  of  decision  problems  and  assert 
that  certain  problems  in  C  arc  NP-complctc,  while  on  the 
contrary  all  other  problems  in  C  arc  solvable  in  polynomial 
time.  It  should  be  pointed  out  that  the  a  priori  existence  of 
dichotomy  theorems  cannot  be  taken  for  granted,  since  Lad¬ 
ner’s  theorem  in  [Lad75]  asserts  that  ifP  ^  NP,  then  there 
arc  problems  in  NP  that  arc  neither  NP-complctc  nor  in  P. 

The  inference  problem  in  classical  propositional  logic 
is  polynomial-time  reducible  to  the  satisfiability  problem. 
Using  this  fact,  it  is  easy  to  sec  that  Schaefer’s  dichotomy 
theorem  for  satisfiability  problems  yields  a  dichotomy  the¬ 
orem  for  the  inference  problctn  in  classical  propositional 
logic.  Specifically,  if  5  is  a  set  of  logical  relations  that 
satisfy  at  least  one  of  the  four  aforementioned  conditions, 
then  the  inference  problem  in  classical  propositional  logic 
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for  ^c(5')-formulas  is  solvable  in  polynomial  time;  other¬ 
wise,  it  is  coNP-complete.  In  addition,  a  similar  dichotomy 
theorem  can  be  derived  for  the  inference  problem  in  classi¬ 
cal  propositional  logic  for  ^(5)-formulas. 

In  this  paper,  we  use  Schaefer’s  framework  to  investi¬ 
gate  the  computational  complexity  of  the  inference  prob¬ 
lem  in  propositional  circumscription.  Our  main  result 
asserts  that,  for  every  set  5  of  logical  relations,  either 
Inf-Circ(.Fc(5))  is  112 -complete  o'"  Inf-Circ(.Fc(5)) 
is  in  coNP.  In  other  words,  our  main  result  tells  that  each 
restricted  cases  of  the  inference  problem  for  propositional 
circumscription  either  is  as  hard  as  the  general  case  or  is  re¬ 
ducible  to  the  inference  problem  for  classical  propositional 
logic.  Moreover,  it  provides  efficiently  checkable  criteria 
that,  given  a  finite  set  S  of  logical  relations,  distinguish  the 
two  possibilities  for  the  complexity  of  Inf-Circ(.Fc(5)). 
This  constitutes  a  dichotomy  theorem  for  the  inference 
problem  in  propositional  circumscription,  since  results  by 
Ladner  [Lad75]  imply  that  if  112  coNP,  then  there  are 
decision  problems  in  II2  that  are  neither  IIj -complete  nor 
in  coNP.  It  should  also  be  pointed  out  that  the  boundary  in 
the  dichotomy  separating  Ilf  -completeness  from  member¬ 
ship  in  coNP  turns  out  to  be  different  from  the  boundary  in 
the  dichotomy  theorem  for  the  inference  problem  in  classi¬ 
cal  propositional  logic. 

Our  main  result  is  established  in  two  stages.  In  the 
first  stage,  we  prove  a  dichotomy  theorem  for  the  family 
of  Inf-Circ(JPc(‘5))  problems,  where  5  is  a  set  of  1-valid 
logical  relations,  i.e.,  each  relation  in  5  contains  the  all-ones 
tuple  (1, . . . ,  1).  In  the  second  stage,  we  use  this  restricted 
dichotomy  theorem  as  a  stepping  stone  to  derive  the  di¬ 
chotomy  theorem  for  the  full  family  of  lNF-ClRC(J^c(5')) 
problems,  where  S  is  an  arbitrary  set  of  logical  relations. 
To  this  effect,  we  apply  the  restricted  dichotomy  theorem 
to  the  set  S*  of  all  1-valid  logical  relations  obtained  from 
relations  in  5  by  replacing  some  variables  by  0.  A  two- 
stage  approach  was  used  for  the  first  time  in  a  recent  paper 
[KKOl],  where  a  dichotomy  theorem  for  minimal  satisfia¬ 
bility  problems  was  established.  With  some  extra  work,  we 
can  also  obtain  a  dichotomy  theorem  for  the  family  of  all 
Inf-Circ(7^(5))  problems,  where  S  is  a  set  of  logical  rela¬ 
tions.  Due  to  space  limitations,  this  result  will  be  presented 
in  the  full  version  of  the  present  paper. 

Since  the  publication  of  the  original  dichotomy  theo¬ 
rem  by  Schaefer  [Sch78],  researchers  have  obtained  several 
other  dichotomy  theorems  for  certain  variants  of  satisfia¬ 
bility  problems  (see,  for  instance,  [Cre95,  KSW97,  CH96, 
CH97,  KS98,  RVOO,  KKOl]).  The  results  reported  here 
provide  the  first  dichotomy  between  II^ -completeness  and 
membership  in  coNP.  At  the  technical  level,  the  proofs 
make  extensive  use  of  Schaefer’s  expressibility  theorem 
[Sch78,  Theore  3.0],  as  well  as  of  a  definability  result  by 
Creignou  and  Hebrard  [CH97]  and  other  special-purpose 


definability  results  established  here. 

Finally,  we  conjecture  that  a  trichotomy  theorem 
holds  for  the  complexity  of  propositional  circumscrip¬ 
tion.  Specifically,  we  conjecture  that,  for  every  set 
S  of  logical  relations,  exactly  one  of  the  following 
three  alternatives  holds:  (1)  lNF-ClRC(Jc(*S'))  is  II^- 
complete;  (2)  lNF-ClRC(J^c(<S'))  is  coNP-complete;  (3) 
lNF-ClRC(Jjo(5))  is  solvable  in  polynomial  time.  Note 
that  if  this  conjecture  is  confirmed,  it  will  yield  the  first 
trichotomy  theorem  for  a  family  of  natural  decision  prob¬ 
lems  in  a  complexity  class  beyond  NP.  In  view  of  the  di¬ 
chotomy  theorem  established  here,  it  remains  to  establish  a 
dichotomy  theorem  for  those  lNF-ClRC(Jc(5'))  problems 
that  are  in  coNP.  Although  the  results  in  [CL94]  yield  parts 
of  this  conjectured  dichotomy,  much  more  remains  to  be 
done  in  order  to  complete  the  picture. 

2  Preliminaries  and  Background 

This  section  contains  a  minimum  amount  of  the  neces¬ 
sary  background  material  on  the  complexity  of  GENERAL¬ 
IZED  Satisfiability  problems  from  [Sch78]. 

Let  S  =  {i?i , . . . ,  Rm, . . .}  be  a  set  of  logical  relations 
of  various  arities.  As  stated  in  Section  1,  an  JT(5)-formula 
is  a  finite  conjunction  of  clauses  built  using  relations  from 
S  and  propositional  variables,  while  an  jrc(5)-formula  is 
a  formula  built  using  relations  from  5,  propositional  vari¬ 
ables,  and  the  constant  symbols  0  or  1.  Recall  also  that 
Sat(5)  is  the  following  decision  problem:  given  an  7^(5)- 
formula  V?,  is  it  satisfiable?  (i.e.,  is  there  a  truth  assignment 
to  the  variables  of  that  makes  every  clause  of  ip  true?)  The 
decision  problem  SaTc(5)  is  defined  in  a  similar  way. 

Clearly,  for  each  finite  set  S  of  logical  relations,  both 
Sat(5)  and  SaTc(5)  are  problems  in  NP.  Several  well- 
known  NP-complete  problems  can  easily  be  cast  as  Sat(5) 
problems  for  particular  sets  5  of  logical  relations.  For  ex¬ 
ample,  3-Sat  coincides  with  the  problem  Sat(5),  where 
5  =  {Ro,Ri,R2,R3}  and  Rq  =  {0, 1}^  -  {(0,0,0)}  (ex¬ 
pressing  the  clause  {xVyW  z)),  Ri  =  {0, 1}^  -  {(1, 0,  0)} 
(expressing  the  clause  {-<x  V  j/  V  z)),  R-z  =  {0,1}^  - 
{(1,1,0)}  (expressing  the  clause  (-ix  V  -ly  V  z)),  and 
R3  =  {0, 1}^  -  {(1, 1, 1)}  (expressing  the  clause  {-<x  V 
-■?/  V  -iz)).  Similarly,  the  NP-complete  problem  PosiTlVE- 
1  -In-3-Sat  ([GJ79,  L04,  page  259])  is  precisely  the  prob¬ 
lem  Sat(5),  where  S  is  the  singleton  consisting  of  the  re¬ 
lation  i?i/3  =  {(1,0,0),  (0,1,0),  (0,0,1)}. 

Recall  that  a  Horn  formula  is  a  conjunction  of  clauses 
each  of  which  is  a  disjunction  of  literals  such  that  at  most 
one  of  them  is  a  variable.  Similarly,  a  dual  Horn  formula  is 
a  conjunction  of  clauses  each  of  which  is  disjunction  of  lit¬ 
erals  such  that  at  most  one  of  them  is  a  negated  variable.  As 
mentioned  in  Section  1 ,  an  ajfine  formula  is  a  conjunction  of 
subformulas  each  of  which  is  an  exclusive  disjunction  ©  of 
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literals  or  a  negation  of  an  exclusive  disjunction  of  literals. 

Definition  2.1:  Let  i?  be  a  logical  relation  and  S  a  finite  set 
of  logical  relations. 

R  is  1-vatid  if  it  contains  the  tuple  (1,1,...,  1),  whereas 
R  is  0~valid  if  it  contains  the  tuple  (0,0, ...  ,0).  We  say 
that  S  is  l-valid  (O-valid)  if  every  member  of  S  is  1 -valid 
(0- valid). 

R  is  2CNF  {Horn,  dual  Horn,  or  affine,  respeetively)  if 
there  is  a  propositional  formula  ip  which  is  2CNF  (Horn, 
dual  Horn,  or  affine,  respectively)  and  such  that  R.  coincides 
with  the  set  of  truth  assignments  satisfying  i/s. 

S  is  Schaefer  if  at  least  one  of  the  following  four  condi¬ 
tions  hold:  every  member  of  S  is  2CNF;  every  member  of 
S  is  Horn;  every  member  of  S  is  dual  Horn;  every  member 
of  S  is  affine.  Otherwise,  we  say  that  S  is  non-Schaefer.  | 

There  are  efficient  criteria  to  determine  whether  a  logical 
relation  is  2CNF,  Horn,  dual  Horn,  or  affine.  In  fact,  a  set 
of  such  criteria  was  already  provided  by  Schaefer  [Sch78]; 
moreover,  even  simpler  criteria  for  a  relation  to  be  Horn  or 
dual  Horn  were  given  by  Dechter  and  Pearl  [DP92}.  Each 
of  these  criteria  involves  a  closure  property  of  the  logical 
relations  at  hand  under  a  certain  function.  Specifically,  a 
relation  R  is  2CNF  if  and  only  if  for  all  6  R,  we 

have  that  (fj  W  t-z)  A  {t'l  V  ^3)  A  (fj  V  f3)  €  /?,  where  the 
operators  V  and  A  are  applied  coordinate-wise  to  bit  tuples. 
R  is  Horn  (respectively,  dual  Horn)  if  and  only  if  for  all 
ft ,  h  G  R,  we  have  that  ti  At2  ^  R  (respectively,  f i  V  to  € 
R).  Finally,  R  is  affine  if  and  only  if  for  all  fi ,  to,  ^3  €  R, 
we  have  that  ti  ©  1.2  ©  h  G  R- 

If  5  is  a  0- valid  or  a  l-valid  set  of  logical  relations,  then 
Sat(5)  is  a  trivial  decision  problem  (the  answer  is  always 
“yes”).  If  5  is  an  affine  set  of  logical  relations,  then  Sat(5) 
can  be  solved  in  polynomial  time  using  Gaussian  elimina¬ 
tion.  Moreover,  there  are  well-known  polynomial-time  al¬ 
gorithms  for  the  satisfiability  problem  for  the  class  of  all 
2CNF  formulas  (2-Sat),  the  class  of  all  Horn  formulas,  and 
the  class  of  all  dual  Horn  formulas.  Schaefer’s  seminal  dis¬ 
covery  was  that  the  above  six  cases  arc  the  only  tractable 
cases  of  Sat(5);  furthermore,  the  last  four  arc  the  only 
tractable  cases  of  SaTc:(5). 

Theorem  2.2:  [Dichotomy  Theorems,  [Sch78]] 

Let  S  he  a  finite  set  of  logical  relations. 

If  S  is  0-valid  or  l-valid  or  Schaefer,  then  Sat(5)  is 
solvable  in  polynomial  time;  otherwise,  it  is  ISV-complete. 

IfS  is  Schaefer,  then  SaTc:(5)  is  solvable  in  polynomial 
time:  otherwise,  it  is  is  NP-complete. 

Theorem  2.2  immediately  implies  that  Po.siTiVE- 1 -lN-3- 
Sat  is  NP-complctc,  since  this  is  the  same  problem  as 
SAT(i?i/3),  and  i?.i/3  is  neither  0-valid,  nor  l-valid,  nor 
Schaefer,  as  can  be  seen  by  applying  the  aforementioned 
closure  properties. 


To  obtain  the  above  dichotomy  theorems,  Schaefer  had 
to  first  establish  a  result  asserting  that  every  non-Schaefer 
set  S  has  extremely  high  expressive  power,  in  the  sense 
that  every  logical  relation  can  be  defined  from  an  !Fc{S)- 
formula  using  existential  quantification. 

Theorem  2.3:  [Expressibility  Theorem,  [Sch78]] 

Let  S  be  a  finite  set  of  logical  relations.  If  S  is  non- 
Schaefer,  then  for  every  k-ary  logical  relation  R  there  is  an 
!Fc{S)-formula  ip{x\ , . . . ,  a:*. ,  2:1 , . . . ,  2,„)  such  that  R  co¬ 
incides  with  the  set  of  all  truth  assignments  to  the  variables 
Xi, . . .  ,Xf,.  that  satisfy  the  formula  (3z)i^(i,  z). 

3  Propositional  Circumscription 

In  circumscription,  properties  arc  specified  in  some  log¬ 
ical  formalism,  a  natural  partial  order  between  models  of 
each  formula  is  considered,  and  the  focus  is  on  models  that 
arc  minimal  with  respect  to  this  partial  order.  Minimal  mod¬ 
els  arc  preferred  because  they  have  as  few  “exceptions”  as 
possible  and  thus  embody  common  sense.  In  propositional 
circum.scription,  properties  arc  specified  using  propositional 
formulas  and  the  focus  is  on  models  that  arc  minimal  with 
respect  to  the  coordinate-wise  partial  order  between  truth 
assignments,  as  defined  below. 

Let  /,•  >  1  be  an  integer  and  let  q  =  (aj , . . . ,  a*),  P  = 
(61 , . . . ,  bfy  be  two  Ir-tupics  in  {0, 1}*^.  We  write  ^  <  a  to 
denote  that,  for  every  i  <  k,  we  have  that  6,  <  a;  (as  u.sual, 
0  <  1).  Also,  3  <  a  means  that  P  <  a  and  P  ^  a.  If  p 
is  a  propositional  formula  and  a  is  a  truth  assignment  to  the 
variables  of  tp,  then  we  say  that  a  is  a  minimal  model  of  p 
if  a  .satisfies  p  and  no  truth  assignment  P  <  a  .satisfies  p. 

Let  p  and  t/;  be  two  propositional  formulas  in  CNF.  We 
say  that  V'  can  he  inferred  from  p  under  propositional  cir¬ 
cumscription,  and  write  p  1=Circ 

ery  minimal  model  of  p.  Clearly,  if  fi  is  a  conjunction 
Al=i  Ci  of  clauses  c;,  then  p  |=circ  7^ 
p  c,,  for  every  i  <  m.  Thus,  the  inference  problem 

for  propositional  circumscription  can  be  stated  as  follows: 
given  a  propositional  formula  p  in  CNF  and  a  clause  fi,  docs 
p  |=cii^C  Since  testing  a  truth  assignment  for  mini¬ 
mality  is  in  coNP,  it  follows  that  the  inference  problem  for 
propositional  circumscription  is  in  H^ .  As  mentioned  ear¬ 
lier,  in  [EG93]  this  problem  was  shown  to  be  -complete, 
even  when  cp  is  a  3CNF-formula  and  fi  is  just  a  negative 
literal  -m.  Our  goal  is  to  investigate  the  complexity  of  the 
inference  problem  for  propositional  circum.scription  in  the 
context  of  Schaefer’s  framework.  More  precisely,  each  set 
S  of  logical  relations  gives  rise  to  the  following  decision 
problem  Inf-Circ(JFc:(5)):  given  an  7j:;(5)-formula  p 
and  a  clause  fi,  docs  p  t=CiRC  proposition 

asserts  that  each  of  these  decision  problems  is  equivalent  to 
a  special  case  of  it. 
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Proposition  3.1 :  For  every  set  S  of  logical  relations, 
lNF-ClRC(jrc(5'))  is  equivalent  to  the  following  decision 
problem:  given  an  Tc,{S) -formula  if  and  a  negative  clause 
{-^Ui  V  •  •  •  V  -lUn),  does  P  t=ClRC  V  •  •  •  V  -<Un)? 

Proof:  Given  an  J^c-formula  p  and  a  clause  (xi  V  •  •  •  V 
Xm  V  -lUi  V  •  •  •  V  let  p'  be  the  .T^c-formula  obtained 
from  p  by  replacing  each  occurrence  of  x,-,  1  <  f  <  m,  by 
0.  It  is  easy  to  verify  that  p  |=Circ  (a^i  V  •  •  ■  V V  -lUi  V 
■  •  •  V  -^yn)  if  and  only  if  p'  V  ■  •  •  V  u„).  | 

Consider  the  following  restricted  case  of 
Inf-Circ(J^c(5')):  given  an  .7c(5')-formula  p  and  a  posi¬ 
tive  clause  (xiV---Vx„),does(/)  |=ciRc  (a:i  V- • -Vx^)? 
This  problem  is  in  coNP,  because  it  is  easy  to  check  that 
^  Ncirc  (a:iV- ■ -VXm)  ifandonly  if<^  |=  (xiV---VXm). 
Thus,  the  inference  of  clauses  with  negative  literals  is  es¬ 
sential  in  establishing  that  certain  lNF-CiRC(Jc('S')) 
problems  are  fl^ -complete. 

We  are  now  ready  to  state  the  main  results  of 
this  paper.  These  results  classify  the  complexity 
of  all  Inf-Circ(J^c(‘5'))  problems  and,  in  particular, 
give  efficiently  checkable  criteria  that  characterize  when 
lNF-ClRC(jrc(5))  is  a  n^-complete  problem.  As  men¬ 
tioned  in  Section  1,  we  first  establish  a  dichotomy  theorem 
for  Inf-Circ(.Fc(5)),  where  5  is  assumed  to  be  a  1-valid 
set  of  logical  relations,  i.e.,  every  relation  in  S  contains  the 
all-ones  tuple  (1,1,...,  1). 

Theorem  3.2:  Let  S  be  a  l-valid  set  of  logical  relations. 

IfS  is  Schaefer,  then  Inf-Circ(J^c(5))  is  in  coNP;  oth¬ 
erwise,  it  is  n? -complete.  Actually,  if  S  is  non-Schaefer, 
then  even  the  following  special  case  o/Inf-Circ(.Fc(5')) 
is  U2 -complete:  given  an  iFc.{S)-forniula  p  and  a  negative 
literal  -<u,  does  p  1=Circ 

Moreover,  there  is  a  polynomial-time  algorithm  to  de¬ 
cide  whether,  given  a  finite  1-valid  set  of  logical  relations, 
Inf-Circ(J^c(5'))  is  in  coNP  or  -complete. 

An  outline  of  the  proof  of  Theorem  3.2  is  presented  in 
Section  4.  The  following  examples  illustrate  the  preceding 
Theorem  3.2  and  provide  new  instances  of  restricted  cases 
of  the  inference  problem  for  propositional  circumscription 
having  the  same  inherent  complexity  as  the  general  case. 

Example  3.3:  Consider  the  ternary  logical  relation  K  = 
{(li  Ij  1))  (0)  0),  (0, 0, 1)}.  Using  the  closure  properties 

that  characterize  when  a  logical  relation  is  2CNF,  Horn, 
dual  Horn,  or  affine,  it  is  easy  to  see  that  K  is  none  of 
the  above.  For  instance,  K  is  not  Horn  because  (0, 1,0)  A 
(0,0,1)  =  (0,0,0)  ^  K.  Consequently,  Theorem  3.2  im¬ 
plies  that  Inf-Circ(JFc({A’}))  is  Hi” -complete.  | 

Example  3.4:  Consider  the  1-valid  set  5  = 

where  Rq  =  {0,1}^  —  {(0,0,0)}  (expressing  the  clause 


(x  V  ?/  V  z)),  Ri  =  {0,1}®  -  {(1,0,0)}  (expressing  the 
clause  (-ixVyVz)),  R2  =  {0, 1}®  -  {(1, 1, 0)}  (expressing 
the  clause  (-ix  V  -ij/  V  z)).  Using  the  closure  properties,  it  is 
easy  to  verify  that  ii!i  is  neither  2CNF,  nor  Horn,  nor  affine, 
and  that  R2  is  not  dual  Horn.  Consequently,  Theorem  3.2 
implies  that  lNF-ClRC(Jc(5))  is  H^ -complete.  | 

As  mentioned  in  Section  1,  Theorem  3.2  can  be  used  as 
stepping  stone  to  obtain  a  dichotomy  theorem  for  the  family 
of  all  Inf-Circ(.Fc(5))  problems,  where  S  is  an  arbitrary 
set  of  logical  relations.  To  this  effect,  we  use  the  following 
crucial  concept,  which  was  first  introduced  in  [KKOl]. 

Definition  3.5:  Let  i?  be  a  fc-ary  logical  relation.  We  say 
that  a  logical  relation  T  is  a  0-section  of  R  if  either  T  is 
the  relation  R  itself  or  T  can  be  defined  from  the  formula 
R{xi,.  ..,Xk)  by  replacing  at  least  one,  but  not  all,  of  the 
variables  xi , . . . ,  x*,  by  0.  | 

To  illustrate  this  concept,  consider  the  logical  relation 
^1/3  ~  {(1: 0)  0)>  (0;  1)  0))  (0, 0, 1)}.  Then  the  logical  re¬ 
lation  {1}  is  a  0-section  of  R1/3,  since  it  is  definable  by 
•^1/3(2::,  0,0).  In  fact,  it  is  easy  to  see  that  {(!)}  is  the  only 
logical  relation  that  is  both  1-valid  and  a  0-section  of  R1/3. 

Theorem  3.6:  Let  S  be  a  set  of  logical  relations  and  let 
S*  be  the  set  of  all  logical  relations  P  such  that  P  is  both 
1-valid  and  a  0-section  of  some  relation  in  S. 

If  S*  is  Schaefer,  then  lNF-ClRC(Jc(5))  is  in 
coNP,-  otherwise,  it  is  -complete.  Actually,  if  S* 
is  non-Schaefer,  then  even  the  following  special  case  of 
Inf-Circ(.Fc(S))  is  H^-complete:  given  an  Pc{S)- 
formula  p  and  a  negative  literal  -ui,  does  p  t=ciRc 

Moreover,  there  is  a  polynomial-time  algorithm  to  de¬ 
cide  whether,  given  a  finite  set  S  of  logical  relations, 
Inf-Circ(J'c(5))  is  in  coNP  or  -complete. 

The  proof  of  Theorem  3.6  will  be  given  in  the  full  paper. 
We  now  present  several  different  examples  that  illustrate  the 
power  of  Theorem  3.6.  The  first  shows  how  the  main  result 
in  [EG93]  can  be  easily  derived  from  Theorem  3.6. 

Example  3.7:  Recall  that  3-Sat  coincides  with  Sat(5), 
where  5  =  {i?o,-Ri,i?2,i?3}  and  Rq  =  {0,1}®  - 
{(0,0,0)}  (expressing  the  clause  (x  V  y  V  z)),  Ri  = 
{0, 1}®  -  {(1, 0,  0)}  (expressing  the  clause  (-ix  V  y  V  z)), 
i?2  =  {0,1}®  -  {(1,1,0)}  (expressing  the  clause  (-ix  V 
'~'y  V  z)),  and  R3  =  {0, 1}®  -  {(1, 1, 1)}  (expressing  the 
clause  (-1X  V  -11/  V  -^z)). 

Since  the  logical  relations  Rq,  Ri,  R2  are  1-valid,  they 
are  members  of  S*.  It  follows  that  S*  is  not  Schaefer,  since 
Ri  is  not  2CNF  or  Horn  or  affine,  and  R2  is  not  dual  Horn. 
Theorem  3.6  immediately  implies  that  lNF-ClRC(J^c(5)) 
(i.e.,  Inf-Circ(3CNF))  is  Hj -complete.  | 
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Example  3.8:  Consider  the  set  S  =  {/^o.-Rs}.  where  Bq 
and  i?3  are  as  in  the  preceding  Example  3.7.  In  this  case, 
Sat(5)  is  the  problem  Monotone  3-Sat,  that  is  to  say, 
the  restriction  of  3-Sat  to  3CNF-formulas  in  which  every 
clause  is  either  the  di.sjunction  of  positive  literals  or  the  dis¬ 
junction  of  negative  literals.  It  is  well  known  that  this  prob¬ 
lem  is  NP-complete  (this  can  also  be  derived  from  Schae¬ 
fer’s  Dichotomy  Theorem  2.2).  It  is  not  hard  to  verify  that 
every  relation  in  S*  is  dual  Horn  (for  instance,  S*  contains 
Bo,  which  is  dual  Horn).  Consequently,  Theorem  3.6  im¬ 
plies  that  lNF-ClRC(jrQ(5))  is  in  coNP.  | 

The  preceding  example  reveals  that  the  boundary  in  the 
dichotomy  for  the  inference  problem  in  classical  proposi¬ 
tional  logic  is  different  than  that  in  the  dichotomy  for  the 
inference  problem  in  propositional  circumscription.  Sev¬ 
eral  other  instances  of  this  phenomenon  are  provided  by  the 
final  example  of  this  section. 

Example  3.9:  If  m  and  n  arc  two  positive  integers  with 
m  <  n,  then  /?,„/„  is  the  n-ary  logical  relation  consisting 
of  all  n-tuples  that  have  m.  ones  and  n  —  m  zeros.  It  is 
easy  to  see  that  /?„;/,!  is  not  Schaefer.  Consequently,  if  S 
is  a  set  of  logical  relations  each  of  which  is  of  the  form 
for  some  m  and  n  with  m.  <  n,  then  Sat(S)  is  NP- 
complctc.  On  the  other  hand,  5*  is  easily  seen  to  be  Horn 
(and,  hence,  Schaefer),  since  every  relation  P  in  S*  is  a 
singleton  P  =  {(1,...,!)}  consisting  of  the  77)-ary  all-oncs 
tuple  for  some  rn.  Con.sequently,  Theorem  3.6  implies  that 
Inf-Circ(.Fc(5))  is  in  coNP. 

This  family  of  examples  contains  Po.siTIVE- 1 -lN-3- 
Sat  as  the  special  case  where  5  =  {/(i/s}.  I 

4  Outline  of  Proof  of  Theorem  3.2 

In  this  section,  we  present  an  outline  of  the  dichotomy 
theorem  for  Inf-Circ(7^(5)),  where  S'  is  a  1-valid  set  of 
logical  relations.  Due  to  space  limitations,  we  have  to  con¬ 
fine  ourselves  to  stating  the  main  technical  steps  and  to 
making  a  few  high-level  comments. 

Assume  first  that  S  is  Schaefer.  In  this  case,  is  easy 
to  sec  that  there  is  a  polynomial-time  algorithm  to  decide 
whether  a  given  model  of  an  .T^cC^j-formula  is  minimal. 
From  this  fact,  it  follows  immediately  that  if  S  is  Schaefer, 
then  lNF-ClRC(j^c:(S))  is  in  eoNP. 

Towards  the  D^-hardness  result,  assume  that  S  is  not 
Schaefer.  Using  Schaefer’s  Expessibility  Theorem  2.3, 
the  following  decision  problem  can  be  shown  to  be  11.'’- 
complctc:  Given  a  .F(5)-formula  ip{x,y,iVo,W\),  decide 
whether  the  sentence  V.'7:377v5(.7:,  7/,  O/roo,  I/ut)  is  true.  Our 
goal  is  to  show  that  this  problem  has  a  polynomial-time  re¬ 
duction  to  Inf-Circ(JT(5)).  One  of  the  key  steps  in  the 
reduction  is  the  following  lemma,  which  was  inspired  from 
a  result  in  [EG93].  A  proof  can  be  found  in  the  Appendix. 


Lemma  4.1:  Let  S  be  l-valid  set  and  let  ^p{x,y,wo,uh) 
be  an  !F{S)-fonnida,  where  x  =  {x\ , . . .  ,Xn),  y  = 
(Vi,  ■  ■  ■ ,  Vm),  Wo  and  w\  is  the  list  of  its  variables.  Let  u, 
x'  =  (.t',  , . . . ,  j;'„)  and  z  =  (zi , . . . ,  z„)  be  new  variables, 
and  let  x{u,  z,  x' ,  y)  be  the  following  formula 

ip{x  ,y,u/u!o,l/wi)  A  ^  A 


/\(m  ->  A  ^A(-D  =  (m  V.T,)) 

Then  the  formula  'dx3ytp(x,y,Ofvo,l/wi)  is  true  if  and 
onlyifx(u,x,z,x',y)  hciRC 

Although  if  is  an  jrc(5)-formula,  the  formula  x  'n  'he 
preceding  lemma  is  not  an  jrc(5)-formula,  because  it  con¬ 
tains  elementary  connectives,  such  as  =,  and  V.  So,  the 
task  now  is  to  construct  an  (5)-formula  9  in  polynomial 
time  such  that  \  ''"'y  ^  NciRC 

is  now'  natural  to  apply  Schaefer’s  Exprcssibility  Theorem 
2.3  again  and  express  each  of  the  above  elementary  con¬ 
nectives  using  an  3JTc  (S)-formula,  i.c.,  a  formula  of  the 
form  3rlf.  where  C,  is  an  jrc'(>5)-formula.  After  these  steps 
arc  completed,  we  obtain  an  3JT(;.(5)-formula  3vx'  with  the 
.same  free  variables  as  x  such  that  \  |=circ  ""'y 

if  3i“’\'  Hcirc  P<’'nt,  one  may  be  tempted 

to  simply  drop  the  existential  quantifiers  3f;,  focus  on  the 
3Jc:(5)-formula  v',  and  claim  that  x  t=ClRC 
only  if  x^  NciRC  argument  is  that 

Schaefer’s  Exprcssibility  Theorem  2.3  gives  no  explicit  in¬ 
formation  about  the  possible  values  of  the  existential  quan¬ 
tifiers  in  BjTfjSj-formulas  expressing  logical  relations.  As 
a  result,  the  witnesses  to  the  variables  v  in  the  existential 
quantifiers  37  may  not  give  rise  to  minimal  satisfying  truth 
assignments  of  x' ,  hence  the  claimed  equivalence  may  fail. 

To  bypass  this  serious  obstacle,  we  must  give  up  apply¬ 
ing  Schaefer’s  Exprcssibility  Theorem  2.3  and  instead  have 
to  use  certain  exprcssibility  lemmas  to  the  effect  that  all  nec¬ 
essary  elementary  connectives  are  definable  by  3JTf:(5)- 
formulas  with  explicit  information  about  the  witnesses  to 
the  existential  quantifiers.  The  first  of  these  lemmas,  due 
to  Creignou  and  Hcbrard  [CH97],  concerns  the  definability 
of  the  connectives  — >  and  V;  it  also  brings  out  the  impor¬ 
tance  of  the  logical  relation  K  introduced  in  Example  3.3. 
In  what  follows.  Ti  (5)  denotes  the  class  of  all  formulas  ob¬ 
tained  from  jr(5)-formula.s  by  substituting  some  variables 
by  the  constant  1. 

Lemma  4.2:  (Creignou  and  Hcbrard  [CH97])  Let  S  be  a 
1-valid.  non-Schaefer  set  of  logical  relations.  Then  at  least 
one  of  the  following  two  statements  is  true. 

1.  There  exists  an  Pi  (S)-formula  e{x,  y)  with  the  prop¬ 
erty  that  {x  ^  y)  =  e{x,y). 
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2.  The  logical  relation  K  =  {(1, 1, 1),  (0, 1,0),  (0,0, 1)} 
is  in  !Fi{S),  i.e.,  there  exists  an  !Fi(S) -formula 
k{x,  y,  z)  which  is  satisfied  only  by  the  three  truth  as¬ 
signments  (1, 1, 1),  (0, 1,0)  and  (0, 0, 1).  Therefore: 

(i)  {x  ^  y)  =  {3z)k{x,  y,z);  moreover, 

{3z)k{x,  y,  z)  has  the  additional  property  that  1  is  the 
only  witness  for  the  variable  z  under  the  truth  assign¬ 
ment  (1, 1)  to  the  variables  {x,y). 

(ii)  {x  y  y)  =  {^z)K{z,x,y);  moreover, 

{3z)k{z,  X,  y)  has  the  additional  property  that  1  is  the 
only  witness  for  the  variable  z  under  the  truth  assign¬ 
ment  (1, 1)  to  the  variables  {x,  y). 

The  second  expressibility  lemma  concerns  the  definabil¬ 
ity  of  the  connective  =. 

Lemma  4.3:  Let  S  be  a  l-valid,  non-Schaefer  set  of  log¬ 
ical  relations.  Then  there  exists  a  three-variable  J-i[S)- 
formula  k'{x,  y,  z)  that  is  satisfied  by  the  truth  assignments 
(1,1,1),  (1,0,0)  and  (0,0,1)  but  is  not  satisfied  by  the 
truth  assignment  {1,0, 1)  (no  information  about  the  remain¬ 
ing  four  possible  assignments  is  required).  Moreover,  if  we 
set  X{x' ,  u,  z,  z')  to  be  the  formula 

{u  x')  A  {x'  V  z)  A  (z  ->  z')  A  (u  ^  z')  A  k'{x',u,  z'), 

we  have  the  following  properties: 

(i)  the  formula  x'  =  {uV  -iz)  is  logically  equivalent  to 
the  formula  {3z')\{x'  ,u,z,z')-, 

(ii)  the  only  witnesses  z'  for  each  of  the  four  assignments 
{x'  =  l,u  =  l,z  =  0),{x'  =  l,u  =  0,z  =  0),(a;'  = 
1,  u  =  1,  z  =  1)  and  (a;'  =  0,  u  =  0,  z  =  1)  that  satisfy  the 
formula  {3z')\{x'  ,u,  z,  z')  are  z'  =  l,z'  =  0,z'  =  land 
z'  =  1,  respectively. 

The  proof  of  Lemma  4.3  can  be  found  in  the  Appendix, 
which  also  contains  a  self-contained  proof  of  Lemma  4.2, 
since  that  proof  is  used  in  the  proof  of  Lemma  4.3. 

We  are  now  ready  to  return  to  the  proof  of 
Theorem  3.2.  As  stated  earlier,  our  goal  is  to 

show  that  the  following  problem  has  a  polynomial¬ 
time  reduction  to  lNF-ClRC(()7b(5));  given  a  T{S)- 
formula  ip{x,y,wo,wi),  decide  whether  the  sentence 
yx3yip{x,y,0/wo,l/wi)  is  true.  Towards  this  goal,  we 
start  with  the  formula  x  described  in  Lemma  4.1  and  then 
adjust  X  in  six  successive  steps  I  =  1,...,6  (enumer¬ 
ated  below).  At  the  last  step,  we  will  have  constructed 
an  J^c(5')-formula  for  which  the  desired  reduction  holds. 
More  formally,  at  each  step  I  =  1, . . . ,  6,  we  will  construct 
a  formula  xi  such  that  for  all  /  =  0, . . . ,  5  (assuming  that  xo 
is  x),  the  set  of  free  variables  of  xi  is  going  to  be  a  subset 
(not  necessarily  proper)  of  X(+i  and,  in  addition,  the  formu¬ 
las  xi  will  satisfy  the  following  three  requirements; 


Rl:  Every  truth  assignment  that  satisfies  x;  can  be  ex¬ 
tended  to  a  truth  assignment  that  satisfies  Xt+i- 

R2:  The  restriction  of  every  truth  assignment  that  satis¬ 
fies  X/-M  to  the  variables  of  xi  also  satisfies  xi- 

R3:  Let  a  and  a'  be  two  satisfying  truth  assignments  of 
Xi  such  that  a{u)  =  1  and  a'  <  a.  If  p  is  an  extension  of 
a  to  a  satisfying  truth  assignment  of  x;+i,  then  there  is  an 
extension  fy  of  a'  to  a  satisfying  truth  assignment  of  x/+i 
such  that  fi'  <  p. 

It  is  easy  to  see  that  once  we  prove  the  above  three  re¬ 
quirements,  then  for  each  l'>0,xi  has  a  minimal  satisfying 
truth  assignment  with  u  =  1  if  and  only  if  X(+i  does.  From 
Lemma  4.1  and  the  fact  that  the  formula  constructed  at  the 
last  step  will  be  in  Tc{S),  it  follows  that  the  reduction  will 
be  complete. 

Notice  first  that  if  xi  and  xi-^-i  have  the  same  set  of  free 
variables,  then  the  above  three  requirements  are  equivalent 
to  asserting  that  xi  and  X(-i-i  are  logically  equivalent. 

Step  1:  In  X,  replace  each  connective  x{  =  {uV  Xi),  for 
i  =  1, . . .  ,n,  with  x'-  =  (u  V  -'Zj).  The  formula  xi  has 
the  same  variables  as  x  and  it  is  equivalent  to  x.  since  the 
conjunct  /\"^j  (xi  ^  z,)  appears  in  both  x  and  xi  Therefore 
the  requirements  R1-R3  are  satisfied. 

Step  2:  In  xi.  replace  each  connective  a:  •  =  (u  V  ^z,), 
for  i  =  l,...,n,  by  \{xl,u,Zi,z[),  where  the  z[,  for 
i  =  l,...,rr,  are  new  variables  and  A  is  the  formula 
described  in  Lemma  4.3.  Because  of  the  equivalence  of 
x{  =  {uy  -<Zi)  with  (3z')A(a;',u,Zj,zj),  we  can  imme¬ 
diately  conclude  that  the  requirements  Rl  and  R2  are  satis¬ 
fied.  To  prove  requirement  R3,  observe  that  because  only 
the  variables  x\,u,Zi,  for  i  =  l,...,n,  are  involved  in 
the  connectives  that  are  replaced  at  the  current  step,  and 
because  we  have  associated  a  different  witness  zj  for  each 
triple  of  variables  x\,u,Zi,  we  can  restrict  our  attention  to 
assignments  to  the  three  variables  x[,u  and  z^  only  (for  an 
arbitrary  but  fixed  i).  Suppose  that  a  and  a'  are  two  assign¬ 
ments  to  x^,u  and  Zi  such  that  a'  is  less  than  or  equal  to 
Q  and  u  =  1  in  a.  Then  first  observe  that  because  of  the 
conjunct  x\  =  {uy  -iz;),  =  1  in  a.  Also  observe  that 

because  of  the  conjunct  Xi  ^  z,,  the  values  of  Zj  in  a  and 
a'  are  equal  (recall  from  the  proof  of  the  Key  Lemma  4.1 
that  we  express  this  fact  by  saying  that  the  value  of  z,,  as 
well  as  Xi,  remain  “fixed”).  The  proof  of  this  step  can  then 
be  completed  by  distinguishing  two  cases  according  to  the 
common  value  of  z;  in  a  and  a'.  The  details  will  appear  in 
the  full  paper. 

Step  3:  In  X2,  replace  each  connective  x'i  V  z;  (that  ap¬ 
pears  as  part  of  the  formula  A(a;', u,  Zj, z'))  by  x,  -)•  x'. 
The  satisfaction  of  the  requirments  R1-R3  is  proved  exactly 
as  in  Step  1 . 

Observe  that,  apart  from  the  conjunct  ^ 

the  only  logical  connectives  that  have  not  yet  been  replaced 
by  an  Jc('S')-formula  are  connectives  of  the  form  x  y 
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(a;  and  y  arc  used  as  generic  names  of  variables),  where  x 
is  either  u  or  Xj  or  2;  for  some  i.  In  the  next  two  steps,  we 
deal  with  these  connectives.  Notice  first  that  if  the  relation 
K  =  {(1, 1, 1),  (0, 1, 0,  (0, 01)}  is  not  in  J":  (5),  then  we 
are  in  Case  1  of  Lemma  4,2,  therefore  there  is  an  T\  [S) 
formula  e{x,y)  equivalent  to  x  — >  y.  In  this  case,  in  one 
step  that  subsumes  the  following  two  steps,  we  just  replace 
every  occurrence  of  .x  ->  y  with  e{x,y).  So  in  the  next 
two  steps,  we  assume  that  the  relation  K  is  in  !Fi{S),  and 
therefore  we  are  in  Case  2  of  Lemma  4.2. 

Step  4:  In  Xs.  replace  each  connective  it  x  (x  is 
again  a  generic  name  for  variables)  with  k(u,x,x'),  where 
x'  is  a  new  variable  distinct  for  each  x  and  k  is  the  formula 
described  in  Case  2  of  Lemma  4.2.  The  validity  of  the  re¬ 
quirements  R1  and  R2  is  immediate.  As  for  requirement 
R3,  restrict  attention  to  the  variables  u  and  x,  for  an  arbi¬ 
trary  but  fixed  variable  x.  The  validity  of  R3  then  follows 
from  the  witness  property  (i)  established  in  Lemma  4.2. 

Step  5:  Notice  first  that  we  cannot  imitate  Step  4  and  re¬ 
place  the  connectives  of  the  form  x,  — >  x  with  «(xi,x,x'), 
since  in  two  models  a  and  a'  of  Xj  — >■  x  such  that  a'  is  less 
than  or  equal  to  n,  the  value  of  Xj  remains  fixed,  while  it  is 
the  value  of  x  that  may  drop  from  1  in  o  to  0  in  a'.  There¬ 
fore,  the  witness  property  (i)  of  Lemma  4.2  does  not  suffice 
to  prove  R3  for  the  case  when  x;  =  0.  Instead,  we  first  sub¬ 
stitute  Xj  — >  X  with  zi  V  X  and  then  substitute  the  latter  with 
K{x',Zi,x).  If  we  use  the  witness  property  (ii)  in  Lemma 
4.2  for  the  connective  2,  V  x,  everything  goes  through,  for 
both  possibilities  2;  =  1  and  2,-  =  0,  as  it  can  be  easily  seen. 
We  deal  similarly  with  the  connectives  of  the  form  2,  x. 

Step  6:  By  Schaefer’s  Expressibility  Theorem  2.3,  there 
is  an  !Fi  (5)  formula,  say  ^(x,  y,ti,. . . ,  tg,  «>o),  such  that 
for  each  i  =  l,...,n,  the  connective  ,X;  ^  2,  is  log¬ 
ically  equivalent  to  {3t)(^{xi /x,  Zily,t,0/wo).  To  con¬ 
struct  Xe.  replace  in  xs  the  connectives  Xj  ^  2,  with 
C{xi/x,Zi/y,x'-'Jti,...,x'/Jtg,0/iUo),  where  x" for 
i  =  1, . . .  ,n  and  r  =  1, . . . ,  s  arc  new  variables.  It  is  not 
hard  to  sec  that  requirements  R1-R3  can  be  proved  in  this 
case  with  no  special  properties  for  the  witnesses.  Notice 
that  xg  is  in  J-c{S)  (and  that  the  constant  0  was  only  u.scd 
in  the  last  step). 

This  concludes  the  outline  of  the  proof  of  Theorem  3.2. 
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Appendix:  Proof  of  Lemmas  4.1,  4.2,  and  4.3 


Lemma  4.1:  Let  5  be  1-valid  set  and  let  (p{x,y,wo,wi) 
be  an  7^(5)-formula,  where  x  =  (2:1, . . .  ,a;„),  y  = 
(2/1,  •  ;2/m)>  Wo  and  ici  is  the  list  of  its  variables.  Let  u, 

x'  =  (x'l , . . . ,  x\f)  and  z  =  (zi, . . . ,  z„)  be  new  variables, 
and  let  x(u,  x,  z,  x' ,y)  be  the  following  formula 

p{x' ,y,u/wQ,llvJi)  A  {^f\{xi^  Zi^  A 


m  \  /  n 

A  (u  ->•  2/j)  A  (  A  K  =  {uV  Xi)) 

i=i  /  \i=i 

Then  the  formula  Vx3y(/3(f,  y,  O/icq,  1/wi)  is  true  if  and 
only  if  x{u,x,z,x',y)  1=circ  “'«• 

Proof:  For  the  if  part,  consider  an  assignment  a  to  the  vari¬ 
ables  X  that  satisfies  the  formula  'iy^p{x,y,  O/wq,  l/wj). 
Extend  a  to  an  assignment  3  of  all  variables  of  the  formula 
X  by  letting  u  =  I,  x\  =  1  for  z  =  \,...,n,yj  =  1  for 
j  =  1, . . . ,  m,  and  by  giving  to  each  Zi,  forz  =  1, . . .  ,n,  the 
opposite  value  of  xi.  Because  p  is  1-valid,  it  is  easy  to  see 
that  3  satisfies  x-  We  will  show  that  3  is  actually  a  minimal 
satisfying  assignment  of  x-  First  observe  that  the  conjuncts 
A”=i  [xi  ^  Zi)  ensure  that  none  of  the  variables  a;  or  f  can 
get  a  different  value  at  a  satisfying  assignment  of  x  strictly 
smaller  than  3  (we  express  this  fact  by  saying  that  the  values 
of  X  and  z  are  fixed).  Also,  the  conjuncts  2/j) 

and  Ar=i  i^'i  =  Xi))  ensure  that  the  values  of  y  and  x' 
are  bound  to  be  1  at  any  assignment  satisfying  x  and  with 
li  =  1.  All  we  have  to  prove  is  that  u  cannot  get  the  value 


0  at  a  satisfying  assignment  of  x  smaller  than  3-  Assume  it 
did  and  let  7  <  /3  be  be  a  satisfying  assignment  of  x  with 
w  =  0.  Then,  observe  that  in  7,  because  of  the  conjunct 
A"=i(a^i  =  (u  V  Xi)),  the  values  of  x'  would  be  equal  to 
the  corresponding  values  of  x.  Therefore,  because  of  the 
first  conjunct  of  x,  and  because  u  =  0  in  7,  the  values  of 
X  and  1/  in  7  would  satisfy  p{x,  O/wq,  1/wi).  Now  ob¬ 
serve  that  7  and  3  coincide  on  x,  because  the  value  of  x 
is  “fixed”.  Therefore  7  and  a  also  coincide  on  x,  since  by 
construction  3  extends  a.  This  is  a  contradiction,  because 
we  assumed  that  a  satisfies  '^y-<ip{x,  y,Olwo,  l/wf). 

To  prove  the  converse,  consider  a  minimal  assign¬ 
ment  a  of  X  with  u  =  1  and  also  consider  the  assign¬ 
ment  3  induced  by  a  on  x.  We  claim  that  3  satisfies 
Vy-i(i3(x,  y,  0/wo,  1/wi).  If  not,  then  there  is  an  assign¬ 
ment  of  values  to  y  which  combined  with  3  forms  an  assign¬ 
ment  7  that  satisfies  tp{x,y,Olwo,  1/wi).  Extend  7  to  an 
assignment  <5  of  all  variables  of  x  by  setting  u  =  0,  xj  =  Xj 
for  z  =  1, . . . ,  n,  and  by  giving  to  each  for  z  =  1, . . . ,  n 
the  opposite  value  of  Xj.  It  is  easy  to  see  that  5  satisfies  x 
and  is  strictly  smaller  than  a,  which  is  a  contradiction.  I 

Lemma  4.2:  (Creignou  and  Hebrard  [CH97])  Let  S  be  a 
1-valid,  non-Schaefer  set  of  logical  relations.  Then  at  least 
one  of  the  following  two  statements  is  true. 

1.  There  exists  an  !F\{S)-formula  e{x,y)  with  the  prop¬ 
erty  that  (x  ->•  y)  =  e{x,y). 

2.  The  logical  relation  K  =  {(1, 1, 1),  (0, 1,0),  (0,0, 1)} 
is  in  lFi{S),  i.e.,  there  exists  an  Ti{S)-formula 
k(x,  y,  z)  which  is  satisfied  only  by  the  three  truth  as¬ 
signments  (1, 1, 1),  (0, 1, 0)  and  (0, 0, 1).  Therefore: 

(i)  (x  — >  y)  =  (3z)k(x,  y,  z),-  moreover, 
{3z)k{x,  y,  z)  has  the  additional  property  that  1  is  the 
only  witness  for  the  variable  z  under  the  truth  assign¬ 
ment  (1, 1)  to  the  variables  (x,  y). 

(ii)  (x  V  y)  =  (3z)/t(z,  X,  y);  moreover, 

(3z)«;(z,  X,  y)  has  the  additional  property  that  1  is  the 
only  witness  for  the  variable  z  under  the  truth  assign¬ 
ment  (1, 1)  to  the  variables  (x,  y). 

Proof:  Since  5  is  a  1-valid,  non-Schaefer  set  of  logical  rela¬ 
tions,  it  must  contain  a  1-valid  logical  relation  R  that  is  not 
affine.  As  shown  in  [CH96],  there  must  exist  two  fc-tuples 
s,t  £  R  such  that  I  ©  s  ©  f  0  i?,  where  I  is  the  all-ones 
fc-tuple  (1, . . . ,  1)  and  k  is  the  arity  of  R.  Let  xi , . . . ,  x^  be 
propositional  variables  and  let  R'  be  a  relation  symbol  of 
arity  k  that  will  be  interpreted  by  R.  For  {i,j)  6  {0, 1}^, 
let  Vij  be  the  set  of  all  variables  Xp,  1  <  p  <  k,  such 
that  the  p-th  coordinate  of  the  tuple  s  is  equal  to  z,  and  the 
p-th  coordinate  of  the  tuple  t  is  equal  to  j.  Let  x,y,z,w 
be  four  new  propositional  variables  and  let  pi{x,y,  z,w) 
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be  the  J^(5)-formula  R'{xlVoa,ylVio,zlVai,wlV\\)  ob¬ 
tained  from  the  formula  . . .  ,x*.)  by  substituting 

the  variable  x  for  all  occurrences  of  the  variables  in  Voo, 
and  similarly  for  the  variables  y,  z,  and  w.  Also  let 
ip2{x,y,z)  be  the  (5')-formula  yji  (x, y, 2, 1/rn).  Now 
observe  the  following:  (1)  the  truth  assignment  (1, 1, 1, 1) 
satisfies  ipi{x,y,  z,w),  since  1  €  R',  (2)  the  truth  assign¬ 
ment  (0, 1,0,1)  satisfies  ipi{x,y,z,w),  since  s  6  R;  (3) 
the  truth  assignment  (0, 0, 1, 1)  satisfies  the  ipi  (x,  y,  z,  w), 
since  t  £  R-,  (4)  the  truth  assignment  (1,0,0, 1)  does  not 
satisfy  (/)]  (x,  y,  z,  w),  since  1  ©  s  ©  f  ^  R.  Therefore, 
(1,1,1),  (0,1,0)  and  (0,0,1)  satisfy  ip2{x,y,z),  while 
(1,0, 0)  does  not. 

We  have  no  information  as  to  whether  or  not  the  remain¬ 
ing  four  assignments  (1, 1, 0),  (0, 1, 1),  (1, 0, 1),  (0,0,0) 
satisfy  ip2{x,y,z).  Thus,  we  have  sixteen  possibilities  to 
examine  regarding  the  satisfiability  of  tp2{x,y,z)  by  these 
four  truth  assignments.  We  start  by  branching  on  the  two 
possibilities  for  the  truth  assignment  (0,0,0): 

Case  A:  (0,0,0)  satisfies  ip2{x,y,z).  We  distinguish 
two  subcases:  Subcase  A. 1:  (0,1,1)  satisfies  y?2(-T, y,  2). 
Then  set  e(x,y)  =  ip2ix,y,y).  Subcase  A. 2:  (0,1,1) 
docs  not  satisfy  ip2{x,y,z).  One  more  branching:  Sub¬ 
case  A. 2.1:  (1, 0, 1)  satisfies  !^2(-'7:,  y,  2).Then  set  £:(x,  y)  = 
ip2{y,x,l).  Subcase  A. 2. 2:  (1,0,1)  docs  not  satisfy 
ip2{x,y,z).  Then  set  e(x,  y)  =  tp2{x,y,x).  This  completes 
the  examination  ofCa.se  A. 

Case  B:  (0,0,0)  does  not  satisfy  ip2{x,y,z).  Consider 
the  following  branching:  Case  B.l:  None  of  the  three 
assignments  (1, 1,0),  (1, 0, 1),  (0, 1, 1)  satisfies  tp2{x.  y,  2). 
Then  K{x,y,z)  =  if2{x,y,z).  Case  B.2:  At  least  one 
the  three  assignments  (1, 1, 0),  (1, 0, 1),  (0, 1, 1)  satisfies 
ip2{x,y,z).  We  make  a  three-way  branching  depending 
on  which  of  these  three  assignments  satisfies  Lp2(x,y,z). 
Case  B.2.1:  (1,1,0)  satisfies  tp2{x,y,  z).  Then  observe 
that  (x  V  y)  H  ip2{x,x,y).  We  postpone  for  a  while  the 
continuation  of  this  case  where  we  have  already  established 
that  (.X  V  y)  is  defined  by  an  (5)-formula.  Case  B.2. 2.: 
(1, 0, 1)  satisfies  ip2{x,y,  z).  Then  observe  that  (x  V  y)  H 
ip2{x,y,x).  Again,  we  postpone  the  continuation  of  this 
case.  Case  B.2. 3:  (0, 1, 1)  satisfies  y?2(j', y, 2).  Since  we 
have  already  examined  B.2. 2,  we  may  assume  that  (1,0, 1) 
docs  not  satisfy  (/)2(x,  y,  z).  Then  set  £(x,y)  =  ip2{x,y.l)- 
At  this  point  all  we  are  left  to  deal  with  is  the  case  where 
(.X  V  y)  is  defined  by  an  (5)-formula.  Wc  examine  this 
case  below. 

Since  not  every  element  of  5  is  a  dual  Horn  relation.  5 
must  contain  a  logical  relation  Q  for  which  there  arc  tuples 
s,t  £  Q  such  that  sVt^Q  (here  we  use  the  closure  prop¬ 
erty  that  characterizes  dual  Horn  relations).  By  arguments 
similar  to  the  preceding  ones,  wc  can  construct  an  !Fc(S)- 
formula  V^2(-'3  y,  2)  that  is  satisfied  by  (1, 1, 1),  (0, 1,0)  and 
(0,  0, 1),  but  it  is  not  satisfied  by  (0, 1,1).  Let  ij’3(x,  y,  z) 


be  the  .72c’{5)-formula  ^J>2{x,  y,  z)  A  {y  V  z).  Observe  that 
^3(.x,  y,  z)  is  satisfied  by  (1, 1, 1),  (0, 1,0)  and  (0,  0, 1),  but 
it  is  not  .satisfied  by  (0, 1, 1),  (1,0, 0),  (0, 0, 0).  Wc  arc  now 
left  with  the  triples  (1, 1, 0)  and  (1,0, 1)  about  which  there 
is  no  information  as  to  whether  they  satisfy  il>3{x,y,z)  or 
not.  We  consider  the  following  three  exhaustive  cases: 

(1)  If  (1,1,0)  satisfies  ij>3{x,y,z),  then  set  e(x,y)  = 
tl>3{y,l,x);  (2)  if  (1,0,1)  satisfies  ij!3{x,y,z),  then  set 
e(.x,y)  =  V^3(y,.x,  1);  (3)  if  neither  (1,1,0)  nor  (1,0,1) 
satisfies  V>i(^,y,2),  then  K{x,y,z)  =  i])3{x,y,z).  This 
completes  the  proof  of  the  Lemma  4.2.  | 

Lemma  4.3:  Let  S  he  a  \-vcilid,  non-Schaefer  set  of  log¬ 
ical  relations.  Then  there  exists  a  three-variable 
foriniila  k'(x,  y,  z)  that  is  satisfied  by  the  truth  assignments 
(1,1,1),  (1,0,0)  and  (0,0,1)  hut  is  not  satisfied  by  the 
truth  assignment  (1, 0, 1)  f/m  information  about  the  remain¬ 
ing  four  possible  assignments  is  required).  Moreover,  if  wc 
set  A(.r',  u,  2,  2')  to  be  the  formula 

{u  ->  x')  A  (x'  V  z)  A  (2  — r  2')  A  {u  -4  2')  A  k'{x' ,u,  z'), 

tre  have  the  following  properties: 

(i)  the  formida  x'  =  (?/  V  -iz)  is  logically  equivalent  to 
the  formula  (3z')A(.x',  u,  z,  z'); 

(ii)  the  only  witnesses  z'  for  each  of  the  four  assignments 
(x'  =  1,11  =  1,  Z  =  0),  (x'  =  1,'ii  =  0,2  =  0),(x'  = 
1,  u  =  1,  z  =  1)  and  {x'  =  0,  ?/  =  0,  2  =  1)  that  satisfy  the 
formula  {3z')\{.t' ,u,  z,  z')  arc  z'  =  1,2'  =  0,  2'  =  1  and 
z'  =  1,  respectively. 

Proof  of  Lemma  4.3 

Let  u'{x,  y.  z)  be  the  formula  V’2(?/)  x,  2)  constructed  in  the 
last  part  of  the  proof  of  Lemma  4.2  (notice  the  inversion 
of  X  and  y  in  V’a)-  From  the  properties  of  it  immedi¬ 
ately  follows  that  k'  is  satisfied  by  the  truth  assignments 
(1,1,1),  (1,0,0)  and  (0,0,1)  but  is  not  satisfied  by  the 
truth  assignment  (1,0, 1).  To  prove  the  properties  (i)-(ii), 
wc  essentially  do  exhaustive  case  analysis  for  all  the  pos¬ 
sible  assignments  to  the  variables  x',z,u.  We  can  imme¬ 
diately  check  that  the  formula  .x'  =  {u  V  ->2)  is  satisfied 
by  the  assignments  (1, 1, 0),  (1,0,  0),  (1,1,1)  and  (0,  0, 1) 
(each  bit  in  each  assignment  is  assigned  to  x',u  and  z 
in  this  order),  while  it  is  not  satisfied  by  the  assignments 
(0, 1, 0),  (0, 0, 0),  (0, 1, 1)  and  (1,0, 1).  Now  by  plugging 
into  the  formula  (3z')A(.r'.  2,  2')  the  latter  four  assign¬ 

ments,  one  after  the  other,  we  can  check  that  they  do  not 
satisfy  it.  In  the  same  way  wc  can  check  that  the  former 
four  assignments  (1, 1, 0),  (1, 0,  0),  (1, 1, 1)  and  (0,0, 1)  do 
satisfy  (32')A(.x',  u,  2,  z').  During  the  check  that  the  above 
four  assignments  arc  indeed  satisfying,  we  also  determine 
all  possibilities  for  the  witness  z',  in  order  to  verify  that  the 
uniqueness  properties  required  from  z'  arc  indeed  true  (wc 
will  only  need  some  of  these  uniqueness  properties),  | 
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Abstract 

In  this  paper  we  compare  three  approaches  to  polyno¬ 
mial  time  decidability  for  uniform  word  problems  for  quasi¬ 
varieties.  Two  of  the  approaches,  by  Evans  and  Burris,  re¬ 
spectively,  are  semantical,  referring  to  certain  embeddabil- 
ity  and  axiomatizability  properties.  The  third  approach  is 
more  proof-theoretic  in  nature,  inspired  by  McAllester’s 
concept  of  local  inference.  We  define  two  closely  related 
notions  of  locality  for  equational  Horn  theories  and  show 
that  both  the  criteria  by  Evans  and  Burris  lie  in  between 
these  two  concepts.  In  particular,  the  variant  we  call  stable 
locality  will  be  shown  to  subsume  both  Evans’  and  Burris’ 
method. 

1  Introduction 

This  paper  relates  two  strands  of  results  about  polynomi- 
ally  decidable  uniform  word  problems  for  quasi-varieties. 
A  quasi-variety  is  a  class  of  algebras  satisfying  a  particu¬ 
lar  (in  this  paper  always  finite)  set  K.  of  equational  Horn 
clauses.  Given  /C,  the  uniform  word  problem  for  fC  is  to  de¬ 
cide  whether  or  not  an  equational,  variable-free  Horn  clause 
C,  the  query,  is  entailed  by  /C:  the  antecedent  of  C  are  the 
defining  relations  for  the  generators  (fresh  constants)  ap¬ 
pearing  there;  the  succedent  of  C  is  the  word  problem  to  be 
solved  for  that  presentation. 

One  line  of  research  leading  to  decidability  criteria  goes 
back  to  work  by  Skolem  (Skolem  1920).  Skolem  consid¬ 
ered  the  variety  of  lattices  and  investigated  relational  en¬ 
codings  by  function-free  clauses  which  we  also  call  Catalog 
clauses  today.  Given  a  Horn  theory  K,  one  can  flatten  the 
clauses  such  that  all  equations  in  the  transformed  clauses 
are  of  the  form  f{x\ , . . .  ,xfi)  fax  or  xfay  with  variables  Xj, 
X,  y.  Next  one  can  replace  functions  /  by  relations  (repre¬ 
senting  their  graphs)  r^ ,  so  that  equations  f{x\,.. .  ,Xk)  fax 
become  atoms  r^{xi ,xi^,x).  Catalog  also  allows  one  to 
express  that  equality  is  an  equivalence  and  that  relations  are 
compatible  with  equality.  Moreover,  one  can  specify  that 
function  graphs  represent  partial  functions,  for  example,  by 
saying  r-f{x,y),r^{x,z)  y  fa z.  The  “only”  property  that 


is  lost  in  the  relational  encoding  is  that  functions  are  total. 
However,  if  one  can  show  that  all  finite  relational  models 
of  the  encoding  can  be  extended  (maintaining  1C)  so  that  the 
functions  become  total,  the  uniform  word  problem  becomes 
(polynomially)  decidable.  For  if  the  relational  version  C*  of 
a  flat  clause  C  cannot  be  proved  from  the  Catalog  encoding 
/Co  of  /C  there  will  be  a  finite  counter  model  for  /Co  U  -iC* 
(there  are  no  function  symbols  other  than  the  constants  from 
C* ),  and  if  that  model  can  be  extended  to  one  in  which  func¬ 
tions  are  total,  this  yields  a  model  of  /C  in  which  C  is  false. 
Skolem  presented  this  technique  for  the  special  cases  of  lat¬ 
tices  and  for  certain  axiomatizations  of  projective  geometry, 
but  not  for  varieties  in  general.  His  algorithm  for  lattices 
resulting  from  a  dynamic  programming  implementation  of 
the  function-free  encoding  was  rediscovered  later  by  Cos- 
madakis  (1988)  and  by  Freese  (1989).* 

Independently  of  Skolem’s  methods,  Evans  (1951) 
proved  a  somewhat  stronger  result  for  varieties  in  general. 
As  Evans’  original  proof  is  based  on  quite  different  tech¬ 
niques,^  it  is  not  surprising  that  Skolem’s  work  is  not  even 
mentioned  in  his  paper.  Later,  Burris  (1995)  realized  that 
one  might,  in  fact,  view  Evans’  result  as  a  generalization 
of  Skolem’s  techniques.  One  of  Burris’  observations  was 
that  a  weak  form  of  definedness  requirements  for  the  partial 
functions  can  also  be  expressed  in  Catalog.  (For  instance, 
one  can  require  r^  {x,y)  — ^  r^{x,y),  expressing  a  relativized 
definedness  property  for  the  function  g  in  terms  of  the  de¬ 
finedness  properties  of  /.)  Evans’  result  is  that  the  uniform 
word  problem  is  (polynomially)  decidable  whenever  all  fi¬ 
nite  partial  algebras  “satisfying”  /C  can  be  injectively  em¬ 
bedded  into  a  total  /C-algebra,  where  his  notion  of  valid- 

'This  is  how  Burris  (1995)  puts  it.  Looking  at  the  papers,  however,  the 
connections  to  Skolem’s  work  are  not  so  obvious. 

^Evans’  algorithm  is  ground  completion  —  before  the  concept  of  com¬ 
pletion  was  invented  by  Knuth  &  Bendix  (1970)  —  of  the  antecedent  of 
the  query  together  with  certain  ground  instances  of  the  theory  clauses  dy¬ 
namically  derived  from  subterms  of  the  query.  Using  auxiliary  constants  to 
name  subterms,  Evans’  procedure  is  closely  related  to  recent  presentations 
of  congruence  closure  algorithms  such  as  the  one  by  Bachmair  &  Tiwari 
(2000). 
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ity  for  equations  in  partial  algebras  includes  precisely  those 
relativized  definedness  requirements  expressible  in  Catalog 
(cf.  Section  2  below).  Having  seen  the  connection  between 
Skolem’s  and  Evans’  ideas,  it  was  not  difficult  for  Burris 
(1995)  to  extend  Evans’  result  to  quasi-varieties.  In  the 
same  paper  he  then  also  presented  an  even  more  general 
criterion  for  polynomial  decidability  that  refers  to  the  finite 
axiomatizability  of  certain  classes  of  substructures  of  the 
relational  versions  of  the  AC-algebras.  We  will  return  to  this 
criterion  in  Section  7  below. 

The  approaches  of  Evans  and  Burris  emphasize  the  role 
of  partial  algebras  (constructed  from  the  subterms  and  the 
equations  in  the  antecedent  of  a  query)  for  the  decid¬ 
ability  of  uniform  word  problems.  An  approach  that  is 
based  on  confining  deduction  to  subterms  of  the  query  is 
represented  by  the  concept  of  local  inference  systems  in 
(Givan  &  McAllester  1992,  McAllester  1993).  Local  the¬ 
ories  are  sets  of  Horn  clauses  K.  such  that  K.  C,  for 
variable-free  Horn  clauses  C,  only  if  already  fCc  N  C  where 
JCc  is  the  set  of  instances  of  /C  in  which  all  terms  are 
subterms  of  ground  terms  in  either  K,  or  C.  Givan  and 
McAllester  dealt  with  non-equational  logic  whereas  we  are 
interested  in  the  equational  case.  As  we  shall  see  below, 
the  main  results  about  non-equational  local  theories  given 
in  (Givan  &  McAllester  1992,  McAllester  1993,  Basin  & 
Ganzingcr  2001)  can  be  easily  extended  to  the  equational 
case.  In  particular,  the  uniform  word  problem  for  local 
equational  theories  is  decidable  in  polynomial  time.  A 
slightly  more  general  variant  of  this  concept  is  obtained  by 
allowing  in  local  entailment  all  instances  of  K.  by  sub¬ 
stitutions  sending  the  variables  in  /C-clauscs  to  subterms  of 
the  ground  terms  of  C  or  K..  We  call  AC  stably  local  if  already 
1=  C  whenever  AC  f=  C. 

The  main  results  of  this  paper  establish  clo.se  rela¬ 
tionships  between  the  approaches  by  Evans,  Burris  and 
McAllester.  We  show  that  both  Evans’  and  Burris’  cri¬ 
teria  lie  in  between  the  two  variants  of  locality.  The  in¬ 
clusions  arc  (mostly)  proper.  In  particular  stable  locality 
is  shown  to  subsume  Burris’  (and  hence  Evans’)  method. 
We  also  show  for  a  the  subclass  of  superficial  presenta¬ 
tions  (McAllester  1993)  AC  that  locality  and  embeddability 
coincide. 

From  these  results  we  may  conclude  that  all  three  crite¬ 
ria  for  polynomial  decidability  of  uniform  word  problems 
arc  essentially  equivalent.  In  the  end,  this  might  not  be  so 
surprising  given  that  all  three  approaches  arc  based  on  ideas 
of  exploiting  the  algebraic  and  deductive  structure,  respec¬ 
tively,  induced  by  the  linearly  many  query  subterms.  More¬ 
over  it  is  known  that  any  P-time  inference  problem  can  be 
encoded  as  a  local  Horn  theory.  However,  as  we  shall  .see 
below,  to  clarify  the  precise  relationships  induces  a  number 
of  technical  complications  mainly  related  to  Evans’  specific 
notion  of  validity  in  partial  algebras. 


2  Basic  Notions  and  Notation 

Our  investigation  assumes  an  arbitrary,  but  fixed  signa¬ 
ture  S  of  function  symbols  to  be  given,  containing  an  infi¬ 
nite  subset  C  of  constants  that  are  used  to  denote  the  gener¬ 
ators  in  the  formulation  of  word  problems.  An  equational 
Horn  clause  is  an  implication  of  the  form  C],...  ->  cq, 

k  >0,  with  equations  e,  =  over  Z.  We  consider 

the  object  language  symbol  for  formal  equality  also^ 
syntactically  as  symmetric,  so  that  .?«?  at  the  same  time 
also  denotes  txs.  Sometimes  we  also  take  a  relational 
view  of  functions.  Then,  given  a  signature  Z,  by  Z*  we 
denote  the  corresponding  relational  signature  where  each 
/i-ary  function  symbol  /  in  Z  is  replaced  by  a  n  -f  1-ary  re¬ 
lation  symbol  If  C  is  an  equational  Horn  clau.se  with  all 
equations  of  the  form  f{x\ ,Xk)  sex  or  xsey,  with  vari¬ 
ables  X,  ,  X,  by  C*  we  denote  its  relational  form,  the  Z* 
clause  resulting  from  C  by  replacing  any  equation  of  the 
form  /(xi,...  ,x<:)s3x  by  an  atom  rA(xi,...  ,Xi,x),  (Equa¬ 
tions  between  variables  remain  unchanged.) 

Let  AC  be  a  finite  set  of  clauses,  called  the  theory.  For 
technical  simplicity  we  assume  that  the  only  terms  in  AC 
which  are  ground  are  constants.  In  equational  logic  this 
restriction  can  always  be  satisfied  by  flattening  transfor¬ 
mations,  cf.  section  4.  The  uniform  word  problem  for  AC 
is  to  decide  d  C,  for  ground  Horn  clauses  C  (called 
queries),  where  “j=”  denotes  implication  in  first-order  logic 
with  equality. 

A  partial  (I.)-algehra  is  a  structure  (^,  {/xj/'es).  where 
A  is  a  non-empty  .set,  and  for  every  /  S  Z  with  arity  n,  f^ 
is  a  partial  function  from  A”  to  A.  Where  no  confusion 
about  the  interpretation  of  the  function  symbols  can  arise, 
we  identify  the  algebra  with  its  carrier  A.  For  partial  alge¬ 
bras  the  notion  of  evaluating  a  term  t  with  respect  to  a  vari¬ 
able  assignment  /3  for  its  variables,  yielding  a  value  ji{t)  in 
A,  is  the  same  as  for  total  algebras,  except  that  this  evalu¬ 
ation  is  undefined,  if  t  =  f[t\,...  ,/„)  and  cither  one  of  the 
/3(r,)  is  undefined,  or  else  (/3(ti),...  ,i3(?„))  is  not  in  the 
domain  of  /^.  If  the  term  t  is  ground,  the  evaluation  is  in¬ 
dependent  of  any  variable  assignment,  and  its  value  will  be 
denoted  by  f/\.  If  A  C  B  are  partial  Z-algcbras,  B  is  called 
an  expansion  of  A  if  f/^  =  the  restriction  of  the  partial 
function  fji  to  the  subset  A.  A  is  called  a  (total)  algebra 
whenever  all  functions  arc  total.  Under  the  relational  view, 
if  A  is  a  (partial  or  total)  Z-algebra,  by  A’'  we  denote  its  rela¬ 
tional  variant,  the  Z* -structure  for  which  rj^,(a\,...  ,a„,a) 
is  true  if,  and  only  if,  («] , . . .  ,0,,)  =  o. 

Given  a  set  AC  of  equational  Horn  clauses,  by  AC  we  also 
denote  the  quasi-variety  represented  by  AC,  that  is,  the  class 
of  all  total  algebras  that  satisfy  (in  the  usual  sense  of  first- 
order  logic  with  equality)  the  clauses  in  AC.  A  partial  AC- 
algcbra  A  is  a  partial  algebra  satisfying  all  the  clauses  in 

-’This  also  includes  the  possibility  for  a  constant  symbol  to  not  be  de¬ 
fined  in  A. 
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K..  Hereby  a  clause  siK.t\,...  sTut  is  satisfied  (is 

valid)  in  A,  if  for  all  assignments  j3  of  elements  in  A  to  the 
variables  in  the  clause,  whenever  the  /3(^,)  and  j3(t,)  are  all 
defined  and  j3(5,)  =  /3(r/),  then 

(i)  if  j3  (5)  and  ji  (t)  are  both  defined  then  j3  (5)  =  /3  (r ) ;  and 

(ii)  if  5  =  ,Un),  n  >  0,  and  if  all  terms  /3(h,)  and 

j3(?)  are  defined,  then  li{s)  is  also  defined.”* 

We  say  that  a  partial  algebra  weakly  satisfies  1C,  if  only  re¬ 
quirement  (i)  is  satisfied  for  any  clause  in  1C.  In  a  partial  K.- 
algebra,  requiring  that  an  equation  be  satisfied  also  induces 
certain  definedness  requirements  for  the  functions  that  ap¬ 
pear  in  the  equation.  Sometimes  we  speak  of  strong  sat¬ 
isfaction  when  we  want  to  emphasize  that  both  (i)  and  the 
definedness  requirements  (ii)  are  fulfilled. 

This  specific  concept  of  validity  for  clauses  in  partial  al¬ 
gebras  was  introduced  by  Evans.  Its  definedness  require¬ 
ments  may  appear  ad  hoc  at  first  sight.  Viewed  relationally, 
however,  one  observes  that  this  is  the  strongest  notion  of 
relative  definedness  that  can  directly  be  expressed  in  Cata¬ 
log.  For  instance  an  equation  f{g{x))Kh{x)  can  be  encoded 
by  writing  the  two  clauses  r^ix,y),r->'{y,z)  ->•  r''(jc,z)  and 
r^{x,y),r^{x,z)  ->  r*{y,z),  where  these  two  clauses  imply 
both  the  equality  and  the  definedness  requirement  associ¬ 
ated  with  the  equation.  In  other  words,  the  natural  encoding 
of  conditional  equations  into  Catalog  induces  the  relativized 
definedness  requirements  in  Evans’  definition. 

As  an  aside,  many  more  notions  of  validity  have  been 
considered  in  the  literature,  usually  motivated  by  a  partic¬ 
ular  application.  One  of  the  more  prominent  choices  is 
to  consider  existential  equality,  where  an  equation  st^tt  is 
interpreted  as  “s  and  t  are  defined  and  are  equal”.  Ex¬ 
istential  equality  appears  to  be  useful  for  applications  to 
the  semantics  of  programming  languages  and  to  intuition- 
istic  logic  (Scott  1979).  The  treatment  of  partial  algebras 
by  Burmeister  (1986)  is  also  based  on  existential  equality 
since  most  of  the  other  notions  of  validity  can  be  encoded 
in  existential  equality. 

A  (total)  mapping  h  :  A  B  between  partial  Z-algebras 
A  and  B  is  called  a  (weak)  (Z-)  homomorphism  if  whenever 
fA{a],...  ,aic)  is  defined,  then  so  is  fB{h{a\),...  ,h(ak)), 
and  h{fA{a\,...  ,0^))  =  fB{h{a\),...  ,h{ak)).  A  partial  Z- 
algebra  A  is  said  to  weakly  embed  into  IC  if  there  exists  a 
(total)  /C-algebra  B  and  an  injective  (weak)  homomorphism 
from  A  to  B. 

Evans’  result  (which  was  later  extended  to  quasi¬ 
varieties  by  Burris)  refers  to  partial  algebras  with  defined¬ 
ness  requirements: 

Theorem  2.1  (Evans  1951,  Burris  1995)  Let  /C  be  a 
finite  set  of  Horn  clauses.  If  every  finite  partial  /C-algebra 

’'Remember  that  symmetry  of  «  is  built  into  the  notation  so  that  the 
same  property  is  also  assumed  to  hold  when  exchanging  .s  and  r. 


weakly  embeds  into  /C,  then  the  uniform  word  problem  for 
/C  is  decidable  in  polynomial  time. 

A  proof  of  this  theorem,  via  the  relational  encoding,  was 
outlined  in  the  introduction. 


3  Local  Equational  Theories 

Let 'T  be  a  set  of  ground  terms  and  C  a  clause.  By  /C4/  we 
denote  the  set  of  ground  instances  of  /C  in  which  all  terms 
are  in  y.  We  say  that  K,  entails  C  with  respect  to  T*,  and 
write  K.  |=vh  C,  if  /Cy  |=  C. 

If  5  is  a  clause  or  a  set  of  clauses,  by  st[5]  we  denote  the 
set  of  all  ground  (sub)terms  appearing  in  S  or  in  /C.  (We 
use  this  notation  when  JC  is  fixed  by  the  context.  Note  that 
we  have  restricted  theory  presentations  /C  to  only  contain 
constants  as  ground  terms.)  A  theory  K.  is  called  local  if  for 
every  ground  Horn  clause  C  we  have  /C  |=  C  if,  and  only  if, 
^st[C]  N  C.  Whenever  /Cgtp]  |=  C  we  say  that  C  is  locally 
entailed  by  /C.  The  following  presentation  Int  of  integers 
with  successor  and  predecessor  is  local  (at  the  end  of  this 
section  we  will  briefly  explain  why): 


p(x)s»y  s{})kx 

s{x)Ky  p{y)Kx 

p{x)Kp{y)  xKy 

j(x)ss5(y)  ->  xKy 


For  a  local  theory  to  decide  a  word  problem  represented  by 
C  it  suffices  to  generate  all  ground  instances  of  the  theory 
K.  in  which  all  terms  are  either  subterms  of  C  or  constants 
in  IC  and  to  check  whether  C  is  entailed  by  those  ground 
instances.  For  example,  the  query  p{s{z))f^z  is  entailed 
in  equational  logic  by  the  instance  s{z)tiis{z)  ->  p{s{z))f^z 
of  the  second  clause  in  Int.-^  In  that  clause,  all  terms  are 
subterms  of  the  query.  The  third  and  fourth  clauses  of  Int 
are  consequences  of  the  first  two  clauses.  For  example, 
s{u)^s{v)  Mwv  follows  from  s(u)fvs(u)  p{s{u))^u 
and  ^(v)R^s(v)  — >•  p{s{v))Kv.  However,  in  this  derivation 
there  appear  terms  (such  as  p{s{u)))  which  are  not  admit¬ 
ted  in  local  entailment.  Hence,  although  the  injectivity 
clauses  are  entailed  by  the  other  clauses,  for  the  presenta¬ 
tion  to  be  local  they  cannot  be  deleted.  This  is  a  general 
phenomenon.  For  a  presentation  to  be  local,  sufficiently 
many  consequences  must  be  present  —  in  particular  those 
consequences  which  are  not  entailed  by  local  implication. 
Clearly,  locality  is  a  property  of  a  presentation  rather  than  a 
property  of  the  quasi-variety. 

If  the  size  of  IC  is  considered  as  a  constant,  the  set  IC^^^c] 
is  a  finite  set  of  equational  ground  clauses  the  size  of  which 
is  polynomially  bounded  by  C.  In  the  non-equational  case 

^Note  that  z  is  formally  a  constant  here.  But  since  it  does  not  oc¬ 
cur  anywhere  else,  proving  p{.<:{z))Kiz  is  the  same  as  showing  Int  f= 
Vz(/7(.v(z))«z). 
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when  «  is  interpreted  as  an  arbitrary  binary  relation  sym¬ 
bol,  applying  the  result  of  Dowling  &  Gallier  (1984),  we 
observe  that  entailment  of  queries  for  local  theories  is  de¬ 
cidable  in  polynomial  time.  We  will  show  that  this  result 
can  be  extended  also  to  the  equational  case  as  local  impli¬ 
cation  is  independent  of  whether  or  not  equality  is  internal 
or  external. 

Let  us  use  \=  and  |=neq  to  denote  implication  in  logic 
with  equality  and  without  equality,  respectively.  In  logic 
without  equality,  w  is  an  arbitrary  binary  relation  symbol. 
Let  EQ  denote  the  set  of  equality  axioms  consisting  of  re- 
flexivity,  symmetry,  transitivity  and  congruence  axioms 

,Xk)^f{y[,...  ,yk) 

for  each  k-ary  function  symbol  /  in  the  signature.  In  first- 
order  logic  equality  can  be  internalized  since  /C  |=  C  if,  and 
only  if,  ICUEQ  t=neq  C.  This  carries  over  to  local  implica¬ 
tion,  the  main  reason  being  that  EQ  itself  is  a  local  theory 
(in  logic  without  equality): 

Proposition  3.1  (Givan  &  McAllester  1992)  For 
any  ground  Horn  clause  C  we  have  EQ  [=neq  C  if,  and  only 

if.  £'2st[ci  1=  neq 

A  consequence  of  this  result  is  that  congruence  closure, 
that  is,  the  uniform  word  problem  for  the  class  of  all  I- 
algebras,  is  decidable  in  polynomial  time,  a  result  that  was 
first  proved  by  Kozen  (1977)  and  later  shown  to  be  in 
C)(/(log/i)  by  Downey,  Sethi  &  Tarjan  (1980). 

Proposition  3.2  Let  S  be  a  set  of  Horn  clau.scs  in  which 
all  terms  are  contained  in  a  subtcrm-closcd  set  of  ground 
terms.  For  equalities  e  between  terms  in  H*  we  have  5  |=  c 
if,  and  only  if,  SUEQ^  Nneq  £■ 

Proof.  The  direction  from  right  to  left  is  trivial.  Conversely, 
suppose  that  5  [=  e  in  equational  logic.  Then 
EQ  |=neq  e,  with  Ts  the  immediate  consequence  operator 
sending  interpretations  /  to 

{C()  \IVjEQ  |=neq  for  some  clause  c;,...  ->  Co  in  5}. 

From  Proposition  3.1  we  infer  that  lUEQ  l=neq  G  only  if 
lUEQ^y.  |=neq  c/,  where  'P,  is  the  set  of  all  subterms  in  /  or 
in  e,.  These  terms  are  all  in  T  for  those  I  obtained  as 
as  an  easy  induction  shows.  Therefore,  5  U£2y  l=neq 

As  an  immediate  consequence  we  obtain: 

Theorem  3.3  Let  ^  be  a  set  of  Horn  clau.scs.  Then  S  is  a 
local  theory  in  logic  with  equality  if,  and  only  if,  SDEQ  is 
local  in  logic  without  equality. 


This  property  of  equational  logic  allows  us  to  extend  the 
results  by  Givan  &  McAllester  (1992),  McAllester  (1993) 
and  Basin  &  Ganzingcr  (2001)  to  local  equational  theo¬ 
ries:  Any  language  in  P  can  be  encoded  as  a  uniform 
word  problem  for  a  local  theory,  that  is,  the  method  is 
complete  for  polynomial  time.  The  set  of  local  equa¬ 
tional  Horn  theories  is  co-rccursively  enumerable  but  un- 
dccidable  (McAllester  1993).  Recursively  enumerable  ap¬ 
proximations  of  the  class  of  local  theories  as  given  in 
(McAllester  1993,  Basin  &  Ganzingcr  2001)  can  be  easily 
adapted  to  the  equational  case.  In  particular  we  may  use  the 
Saturate  .system  (Ganzinger,  Nieuwenhuis  &  Nivcla  1994) 
to  saturate  non-local  presentations  as  described  in  (Basin 
&  Ganzinger  2001).  The  locality  of  the  Int  example  was 
demonstrated  by  Saturate  by  checking  that  all  ordered  res¬ 
olution  inferences  between  the  clauses  in  lntu£2  are  re¬ 
dundant  in  that  the  respective  consequences  of  lntU£0 
arc  entailed  by  smaller  instances  of  IntUEQ.  This  was 
checked  for  all  total  and  well-founded  extensions  of  the 
subterm  ordering  so  that  by  the  criterion  given  in  (Basin 
&  Ganzingcr  2001)  the  locality  of  lntu£2  follows. 

Queries  C  for  local  equational  theories  JC  arc  decidable 
in  polynomial  time  by  applying  dynamic  programming  a  la 
Dowling  &  Gallier  (1984)  to  the  clauses  in  (Su£!2)st[r]- 
Note  however  that  this  implementation  method  will  always 
give  at  least  cubic  complexity  as  '1 

/)  is  the  number  of  terms  in  C.  For  practical  applica¬ 
tions.  in  particular  to  problems  arising  in  program  anal¬ 
ysis  (McAllester  1999).  more  efficient  equational  reason¬ 
ing  is  required.  Recent  results  into  this  direction,  ex¬ 
tending  the  congruence  closure  method  of  Downey  ct  al. 
(1980)  to  conditional  equations,  arc  given  in  (Ganzinger  & 
McAllester  2001). 

4  Flattening  and  Linearity 

A  quasi-variety  K  is  local  if  queries  C  arc  implied  al¬ 
ready  by  those  ground  instances  of  in  which  all  terms  arc 
subterms  of  C  or  K..  In  the  equational  case  this  property, 
if  it  is  true,  has  to  be  invariant  under  transformations  of  C 
modulo  equality.  In  particular, transformations  of 
C.  replacing C[/(.. .  ,/,...)]  by  C'  =  cykt\/C[f{. ..  ,0, . . . )], 
where  c  is  a  fresh  constant,  do  not  affect  entailment  from  K., 
but  will  change  the  set  T*  of  terms  allowed  in  a  local  proof. 

A  ground  clause  is  called  flat  if  its  terms  have  depth 
at  most  2.  A  flat  ground  clause  is  called  linear  if  when¬ 
ever  a  constant  occurs  in  two  functional  terms  in  the 
clause,  the  two  terms  arc  identical,  and  if  no  term  con¬ 
tains  two  occurrences  of  a  constant.  Hence  the  clause 
cKf{a,b)  — >  /(«,/?)  ss/(/;,rt)  is  fiat  but  not  linear.  If  the 
clause  occurs  as  a  query,  an  equivalent  linear  query  would 
be  aKa' ,cK  f{a.h)  /(«,/;)  ss /(/;',«'),  where  a' 
and  b'  arc  fresh  constants.  For  theory  clauses  the  definition 
is  essentially  the  same,  with  variables  playing  the  role  of 


84 


constants:  We  say  that  a  theory  clause  in  /C  is  flat,  when¬ 
ever  function  symbols  (including  constants)  only  occur  as 
arguments  of  the  equality  symbol,  but  not  as  arguments  of 
function  symbols.  A  flat  theory  clause  is  called  linear  if 
whenever  a  variable  occurs  in  two  functional  terms,  the  two 
terms  are  identical,  and  if  no  term  contains  two  occurrences 
of  a  variable.  Hence  f{x,y)Kf{x,a)  is  neither  flat  nor  lin¬ 
ear.  An  equivalent  flat  and  linear  clause  is  x'  ^x,zt^a  -> 
f{x,y) «  f{x',z),  where  x'  and  z  are  fresh  variables.  Clearly 
all  clauses,  queries  as  well  as  theory  clauses,  can  be  flat¬ 
tened  (and  linearized)  by  the  introduction  of  auxiliary  con¬ 
stants  and  variables,  respectively.  If  /C  is  a  Horn  theory,  by 
/Cfiin  we  denote  the  set  of  flat  and  linear  instances  (not  neces¬ 
sarily  ground)  of  the  clauses  in  1C.  Clearly,  a  non-flat  clause 
cannot  have  any  flat  instances.  A  flat  but  non-linear  clause 
such  as  aKf[x,y)  bK,f[x',y)  has  the  flat  and  linear  in¬ 
stance  a  fs/(A:,y)  b^f{x,y).  Therefore,  if  K,  is  finite  and 

if  subsumed  clauses  are  ignored,  K.%n  is  also  finite. 

Proposition  4.1  (i)  If  /C  is  a  local  theory  then  /Cfnn  is 

also  local.  In  this  case,  for  any  query  C,  it  holds  that  /C  |=  C 
if,  and  only  if,  /Cfiin  t=  C. 

(ii)  If  K  locally  entails  any  flat  and  linear  query  C  that  is 
entailed  by  /C,  then  K  is  local. 

Proof,  (i)  Suppose  that  JC  is  local.  If  /C  |=  C  then  K  \= 
flin(C),  where  flin(C)  is  the  result  of  flattening  and  lin¬ 
earizing  C.  Since  K,  is  local,  we  obtain  K'v  |=  flin(C),  with 
y  =  st[flin(C)]  the  set  of  ground  subterms  in  flin(C)  and  /C. 
As  all  terms  in  *F  are  flat  and  linear,  and  no  constant  occurs 
in  more  than  one  functional  term,  the  clauses  in  K.^  are  flat 
and  linear;  Therefore  C  (/Cfiin)T>  hence  IC^>  =  (/Cfiin)^- 
Consequently  (Arfiin)'p  |=  C  and  ATfUn  is  a  local  theory. 

(ii)  Suppose  that  /C  [=  C.  We  show  that  /Cst[c]  N  C.  We 
may  flatten  and  linearize  C  into  C  by  using  auxiliary,  pair¬ 
wise  different  constants  c,  not  occurring  in  K  or  C,  to  de¬ 
note  the  subterms  t  of  C.  Specifically,  we  may  assume  that 
for  any  original  subterm  t  =  f{t\  in  C,  C'  contains 

the  negative  equation  «^/(cr, , . . .  ,c,„)  defining  the 

constant  as  an  abbreviation  for  the  respective  term,  and  that, 
apart  from  these  definitions,  no  other  equation  in  C  con¬ 
tains  a  functional  term.  Since  K,  [=  C',  by  assumption  we 
also  have  ZCvj//  [=  C',  where  y'  is  the  set  of  ground  terms 
in  C  or  1C.  The  only  terms  that  may  occur  in  /C^'  are 
the  constants  Ct,  the  constants  in  1C,  and  terms  of  the  form 
/(c,|,...  ,Ct„)  such  that/(ri,...  ,r„)  is  a  subterm  in  C.  Re¬ 
placing  the  Ct  in  /Cvp/  by  t,  therefore,  yields  clauses  in 
which  entail  C.  □ 

In  particular,  if  K,  is  local,  the  quasi-varieties  K.  and  1C]\,„ 
coincide  as  lCn\„  also  implies  those  instances  of  K,  which 
are  not  in  IC^n-  (The  latter  are  trivially  implied  by  K.)  Part 
(ii)  says  that  it  is  sufficient  to  show  local  entailment  for  flat. 


linear  queries  in  order  for  a  theory  to  be  local.  The  rele¬ 
vance  of  this  proposition  is  that  when  investigating  locality 
for  Horn  theories  it  is  sufficient  to  restrict  attention  to  flat 
and  linear  theories  and  queries. 

Flattening  transformations  for  theory  clauses  that  trans¬ 
form  a  clause  C[/(...  ,/,...)]  in  1C  into  C  =  V 
C[/(. . .  ,x, . . . )],  where  x  is  a  fresh  variable,  neither  change 
the  class  of  total  nor  the  class  of  partial  /C-algebras. 
The  same  holds  for  linearization  transformations,  replac¬ 
ing  C[/(...  ,y, ...)],  with  y  a  variable,  by  C  =x9^yV 
C[/(. . .  ,x, . . . )],  where  x  is  a  fresh  variable.  However  re¬ 
placing  r  ->  f{...)Kt  by  r,x«/(...)  -)■  xssf,  although 
not  affecting  the  class  of  total  /C-algebras,  only  preserves 
weak  satisfaction  in  partial  algebras.  Strong  satisfaction 
which  might  induce  that  certain  /-terms  be  defined,  are 
made  void  when  this  kind  of  transformation  is  performed. 

5  Stably  Local  Theories 

The  proposition  4.1  also  suggests  that  the  definition  of 
locality  is  sometimes  too  strong.  In  fact,  the  following 
less  restrictive  form  of  locality,  where  we  allow  arbitrary 
query  subterms  to  be  instantiated  for  the  variables  in  theory 
clauses,  will  also  be  useful.  Let  /Cjq,  for  C  a  ground  clause, 
denote  the  .set  of  ground  instances  of  clauses  in  /C  where 
variables  are  mapped  to  terms  in  st[C],  that  is,  to  subterms 
in  C  or  constants  in  1C.  Considering  /C[q,  we  also  have  in¬ 
stances  of  /C  at  our  disposal  in  which  there  are  terms  not  in 
st[C].  For  example,  if  C  =  a^b  and  if  /(x,y)  w/(}’,x)  is 
in  K.  then  f{a,b)  k  f{b,a)  is  in  /C[c]  but  not  in  /Cst[c].  since 
f{a,b)  is  not  a  term  in  C.  We  say  that  fC  is  stably  local  if  for 
every  ground  Horn  clause  C  we  have  /C  |=  C  if,  and  only  if, 
^[c]  1=  C.  This  presentation  Int'  of  integers  with  successor 
and  predecessor  is  stably  local  even  without  the  presence  of 
the  injectivity  clauses  for  5  and  p: 

P{x)^y  s{y)Kx 

six)^y  p{y)^x 

In  fact,  s{u)  w  v)  — >  m  «  v,  say,  follows  from  s{u)ks{u) 
p{s{u))ku  and  3'(v)?a5(v)  — >  p{s{v))!tsv,  where  these  in¬ 
stances  of  Int'  are  admitted  in  stably  local  entailment  but 
not  in  local  entailment.  Rewriting  the  clauses  of  Int'  into 

^  s(p(x))wx 

->  p(5(x))RiX 

gives  another  stably  local  (non-flat)  presentation  Int"  of  the 
integers.  For  example,  p(u) «  v  ^(v) «  «  is  stably  locally 
entailed  by  the  instance  s{p{u))Ku  of  the  first  clause  in 

Int". 

Locality  is  a  special  case  of  stable  locality  since  /Cst^]  = 
^[Clst[c]’  locality  is  insensitive  towards  flattening 

of  goals  in  that  for  every  theory  /C  we  have  /C[q  |=  C  iff 
^[fiin(c)]  1=  flin(C).  Like  locality,  stable  locality  also  implies 
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that  the  uniform  word  problem  is  decidable  in  polynomial 
time. 

Theorem  5 , 1  Let  /C  be  a  given  theory  the  size  of  which  is 
considered  constant.  If  K.  is  stably  local  and  if  C  is  a  ground 
clause  then  /C  |=  C  can  be  decided  in  time  0(/;^*)  where  n  is 
the  size  of  C  and  k  the  maximal  number  of  variables  in  any 
clause  in  K. 

Proof.  Let  C  =  r  — >  c.  By  stable  locality  we  have  /C  |=  C  if, 
and  only  if,  /C[c]  UL  |=  e.  From  Proposition  3.2  we  infer  that 
the  latter  is  equivalent  with  /C[c]  uruf^stiJCf-jlustfci  Nneq  e. 
As  the  number  of  terms  appearing  is  in  O(n^),  the  size 
of  this  set  of  propositional  Horn  clauses  is  in  □ 

As  Int”  is  stably  local  wc  obtain  a  cubic  upper  bound  for 
the  uniform  word  problem  for  integers  with  i  and  p. 

Refined  complexity  bounds  can  be  obtained  by  more  pre¬ 
cise  analysis  of  the  term  structure  in  /C.  Although  impor¬ 
tant  in  practice,  this  is  not  our  concern  here.  Also,  with  a 
specialized  treatment  of  equality  one  can  get  a  better  com¬ 
plexity  bound  in  many  cases.  Using  congruence  closure  to 
directly  decide  /Cp]  U  F  |=  e  would  yield  a  much  better  com¬ 
plexity  of  0(n logn)  for  /C  =  Int"'. 

6  Locality  and  Weak  Embeddability 

In  this  section  wc  establish  the  main  relationships  be¬ 
tween  Evans’  embeddability  criterion  and  locality.  Wc  will 
show  that  Evans’  criterion  is  weaker  than  stable  locality  but 
stronger  than  locality.  For  a  large  subclass  of  presentations, 
locality  and  Evans’  criterion  coincide.  We  also  show  that 
the  weaker  form  of  Evans’  criterion  with  satisfaction  re¬ 
placed  by  weak  satisfaction  is  equivalent  with  locality. 

Looking  at  the  proofs  in  (Evans  1951)  it  is  not  surpris¬ 
ing  that  some  sort  of  relation  exists  between  embeddability 
and  locality.  However  the  precise  details  arc  not  so  straight¬ 
forward,  the  reason  being  that  Evan’s  notion  of  validity,  in¬ 
volving  a  semantic  notion  of  definedness,  is  not  .so  easily 
captured  proof-thcorctically.  A  special  case  is  the  defmed- 
ncss  of  theory  constants.  In  this  section  wc  will  addition¬ 
ally  require  that  for  a  partial  algebra  A  in  order  to  satisfy, 
or  weakly  satisfy,  a  theory  /C,  every  constant  appearing  in 
1C  is  defined  in  A.  With  this,  Evans’  criterion  becomes  even 
stronger  as  fewer  partial  algebras  need  to  be  embedded.  The 
restriction  will  only  be  needed  for  the  proof  of  Theorem  6.1 
and  its  applications  in  Section  7. 

6.1  Locality  Implies  Embeddability 

In  the  following  theorem,  under  the  assumption  of  local¬ 
ity,  the  embeddability  property  is  even  shown  for  infinite 
partial  algebras  that  need  only  weakly  satisfy  K.. 

Theorem  6.1  Let  /C  be  a  local  set  of  flat  Horn  clauses. 
Then  every  partial  algebra  which  weakly  satisfies  K.  weakly 
embeds  into  K.. 


Proof.  We  prove  the  contrapositivc  of  the  theorem.  Letz\  be 
a  partial  algebra  weakly  satisfying  1C  that  docs  not  weakly 
embed  into  1C.  We  will  show  that  then  K.  is  not  local.  With¬ 
out  loss  of  generality  we  may  assume  that  ACC,  that  is,  the 
elements  of  A  arc  generators  in  Z,  but  no  constant  occurring 
in  /C  is  a  member  of  A.  Moreover  let  F^  be  the  “table”  of 
the  function  definitions  in  A,  that  is,  the  set  of  equations  of 
the  form  f{a\,...  ,a„)  wa  with  a,  aj  in  A  and  /  a  function 
symbol  in  Z,  such  that  /^(ai , . . .  ,a„)  is  defined  and  equal  to 
a.  Suppose  /  is  a  Z-algebra  satisfying  K.  and  also  the  equa¬ 
tions  in  F/i.  The  mapping  h  sending  a  in  A  to  its  value  a/ 
in  /  is  a  weak  Z-homomorphism  as  /  satisfies  F^.  By  as¬ 
sumption,  A  docs  not  weakly  embed  into  I  so  that  there  are 
two  different  elements  a  and  a'  of  A  for  which  /  |=  ataa'. 
Hence  whatever  model  of  /C  U  F/\  one  chooses,  it  will  iden¬ 
tify  two  constants  corresponding  to  different  elements  in  A. 
In  other  words,  ATUF^  |=  Since  /CUF^  is  a 

Horn  theory,  one  of  the  disjuncts  must  be  entailed,  that  is, 
/CuF/i  [=  flssfl',  for  two  different  elements  a  and  a'  in  A. 
Compactness  of  first-order  logic  ensures  that  only  finitely 
many  equations  in  F^  are  needed  to  deduce  a  «a'.  Wc  have 
shown  that  there  is  a  (finite)  Horn  clause  C  =  F  -> 
such  that  /C  1=  C,  and  with  F  true,  but  aw  a'  false  in  A. 

Suppose  that  already  IC^  |=  F  -¥  ok  a',  with  'F  the  set 
of  ground  terms  in  1C  or  C,  By  assumption,  A  weakly  sat¬ 
isfies  1C.  Moreover,  all  the  terms  occurring  in  IC^v  and 
F  arc  defined  in  A.  Therefore,  every  equation  in  defined 
ground  terms  that  is  true  in  the  least  congruence  gener¬ 
ated  by  /C'pUF  is  also  true  in  A.^  But  this  implies  that  a 
and  a'  arc  equal  in  A  which  is  not  the  case.  Consequently, 
/Ch<  ^  F  a k a',  hence  1C  is  not  a  local  theory.  □ 

Hence  locality  is  subsumed  by  Evans’  criterion.  This 
subsumption  relation  is  proper.  For  the  presentation  Int^ 
one  can  show  that  every  finite  partial  Int'-algcbra  weakly 
embeds  into  Int'.  (In  any  partial  Int'-algcbra,  s  [p]  must  be 
defined  on  all  p  [.v]  images.  Therefore  both  partial  functions 
have  to  be  injective.)  However,  as  wc  have  seen  before,  Int' 
is  only  stably  local  but  not  local. 

In  the  proof  of  the  above  theorem  it  is  crucial  that  theory 
constants  arc  defined  in  partial  algebras  that  weakly  satisfy 
K .  Suppose  wc  have  K.  consisting  of  the  two  clauses 

a  w  a  — >  a  mh 

a  Kb  — ^  a  m  c  . 

Since  K.  is  equivalent  to  the  two  ground  equations  a  w  h  and 
awf,  K.  is  a  local  theory.  But  if  F  is  a  partial  algebra  in 
which  a  is  undefined  and  h  and  c  arc  defined  but  different,  F 
vacuously  satisfies  K.  (including  definedness  requirements), 
yet  cannot  be  weakly  embedded  into  fC. 

^If  a  partial  atgehra  A  satisfies  a  set  .S  of  ground  Horn  ctauses  and  if 
every  term  in  S  is  defined  in  A.  then  if  .V  \=  ,s«f.  with  .v  and  I  defined  in  A. 
then  A  f=  wr.  As  equality  is  a  local  theory,  cf  Proposition  3. 1 ,  equational 
reasoning  can  be  confined  to  the  subterins  in  .S'  which  are  all  detined  in  F. 
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6.2  Embeddability  Implies  Locality 

Theorem  6.2  Let  /C  be  a  set  of  flat,  linear  Horn  clauses. 
Suppose  that  every  finite  partial  algebra  which  weakly  sat¬ 
isfies  /C  weakly  embeds  into  K..  Then  K.  is  local. 

Proof.  Using  the  proposition  4.1,  part  (ii),  we  have  to  show 
that,  under  the  given  assumptions,  if  /C  |=  C,  then  /Cst[c]  N 
C,  for  flat  and  linear  ground  clauses  C.  Let 'T  be  shorthand 
notation  for  st[C].  As  C  and  the  clauses  in  K,  are  flat,  a  term 
in  T  is  either  a  constant,  or  else  of  the  form  /(ci,...  ,c„), 
with  constants  c,,  n  >  0.  Let  C  =  s^t, 

and  let  us  assume,  for  the  purpose  of  deriving  a  contradic¬ 
tion,  that  C  is  not  entailed  by  /Cip.  Then  there  exists  an 
algebra  I  satisfying  /C>p  and  the  equations  siKt-,,  but  s  and  t 
are  different  in  /,  that  is,  I  satisfies  s^t.  From  this  we  will 
now  construct  a  finite,  partial  algebra  F  satisfying  5/  and 
5  and  weakly  satisfying  /C. 

Let  F  =  {ti\t  a  term  in  'F},  and  let  the  functions  /  in  Z 
be  defined  by  //r(ai,...  ,a„)  =  /(ci,...  ,c„)/,  with  n  >  0, 
whenever  there  exist  constants  a  in  4^  such  that  Oj  =  c,/,  for 
1  <  i  <  n,  and  /(ci , . . .  ,c„)  is  also  a  term  in  SK.  Let  fp  be 
undefined  in  all  other  cases.  We  now  show  that  F  weakly 
satisfies  K.  (By  construction,  F  satisfies  the  5,  wfi  as  well  as 
s^t.)  Clearly,  the  constants  appearing  in  /C  are  defined  in 
F.  Now  let  D  =  «i  ss  vi, . . .  ->  v  be  a  clause  in 

K,  and  let  P  be  an  assignment  of  elements  in  F  to  the  vari¬ 
ables  in  D  such  that  the  j3(«i)  =  /3(v/),  with  all  these  terms 
defined.  We  can  now  find  a  substitution  o  of  the  variables  in 
D  by  terms  in  such  that  for  every  term  w  in  D,  whenever 
j8(w)  is  defined  then  m'CT  is  a  term  in  NF  and  {wa)i  =  li{w). 
For  instance,  if  a  w  is  of  the  form  f{xi ,x„),  choose  xjo 
to  be  a  constant  c/  in  4^  such  that  c//  =  /3  (a-/),  for  1  <  y  <  n, 
and  f{c\ ,c„)  is  also  a  term  in  4^.  (Note  that  the  argu¬ 
ments  to  /  have  to  be  pairwise  distinct  variables.)  By  the 
definition  of  fp,  such  constants  can  be  found  whenever /f 
is  defined  on  the  /3(a/).  With  this,  /(aj,...  ,a„)ct  is  in  fact 
a  term  in  T.  As  the  entire  clause  D  is  linear  in  that  no  vari¬ 
able  occurs  in  two  different  functional  terms,  the  o  for  the 
individual  occurrences  of  functional  terms  can  be  combined 
into  a  single  substitution.  For  variables  y  which  do  not  occur 
in  a  functional  term  in  D,  the  substitution  can  be  an  arbitrary 
term  i  in  4^  such  that  s/  —  P{y). 

We  have  to  verify  the  condition  (i)  in  the  definition  of 
satisfaction  for  clauses  in  partial  algebras.  Suppose  that 
j3(«)  and  j3(v)  are  both  defined.  By  the  construction  of 
a  we  have  that  uo  and  vcr  are  in  T,  and  {uo)i  =  P(u), 
(va)/  =  ji{v).  With  this.  Da  is  in  K.^.  Therefore  I  satisfies 
Da  so  that  uai  =  va/,  and  hence  j8(«)  =  j3(v).  Now  that 
F  has  been  shown  to  weakly  satisfy  /C,  according  to  the  as¬ 
sumption  there  exists  a  total  /C-algebra  /'  into  which  F  can 
be  weakly  embedded.  This  algebra  /'  satisfies  as  F 

does,  and  since  the  embedding  is  injective,  /'  also  satisfies 
s^t.  Altogether,  /'  ^  C,  which  contradicts  the  assumption 
that  IC\^C.D 


Hence  we  see  that  the  weaker  form  of  Evans’  criterion  with 
satisfaction  replaced  by  weak  satisfaction  implies  locality. 
For  a  large  subclass  of  presentations,  the  distinction  be¬ 
tween  the  two  forms  of  satisfaction  is  inessential.  Lets  us 
call  a  presentation  K,  superficial,  if  every  term  that  occurs 
positively  (in  the  head)  of  a  clause  in  K,  also  occurs  as  a 
subterm  negatively  (in  the  body)  the  same  clause. 

Theorem  6.3  Let  /C  be  a  set  of  flat,  linear,  and  superficial 
Horn  clauses.  Then  fC  is  local,  whenever  every  finite  partial 
/C-algebra  weakly  embeds  into  1C. 

Proof  The  definedness  requirements  for  partial  /C-algebras 
are  void,  if  every  positive  functional  term  also  appears  neg¬ 
atively  in  the  same  clause.  In  that  case,  any  partial  algebra 
which  weakly  satisfies  /C  is  a  partial  /C-algebra,  and  the  the¬ 
orem  follows  from  Theorem  6.2  □ 

For  arbitrary  presentations,  the  existence  of  weak  em¬ 
beddings  for  finite  partial  /C-algebras  implies  stable  local¬ 
ity. 

Theorem  6.4  Let  /C  be  a  set  of  Horn  clauses.  Suppose 
that  every  finite  partial  /C-algebra  weakly  embeds  into  /C. 
Then  /C  is  stably  local. 

Proof  Let  C  be  a  ground  clause.  We  have  to  show  that, 
under  the  given  assumptions,  if  /C  |=  C,  then  /C[c]  [=  C.  Let 
C  =  s\Kt\,...  ->  swr,  and  let  us  assume,  for  the 

purpose  of  deriving  a  contradiction,  that  C  is  not  entailed 
by  /C[c]-  Then  there  exists  an  algebra  I  satisfying  /Cjcj  and 
the  equations  but  s  and  t  are  different  in  /,  that  is, 

I  satisfies  556?.  From  this  we  will  now  construct  a  finite, 
partial  /C-algebra  F  satisfying  i/wt,  and  st^t.  The  main 
difference  to  the  proof  of  Theorem  6.2  will  be  that  more 
terms  are  going  to  be  defined  in  F. 

Let  F  :=  {t;  \  t  a  term  in  st[C]},  and  let  the  functions  / 
in  Z  be  defined  such  that  I  is  an  expansion  of  F.  In  other 
words,  a  function  application  fp{a\ , . . .  ,a„)  in  F  is  defined 
and  yields  a  as  re.sult,  iff  //(«],.. .  ,a„)  =  a  with  a  in  F.  By 
construction,  F  satisfies  the  equations  a,-  wr,  as  well  as  s!^t. 
Let  D  =  Ml  «  V] , . . . , Mm  «  Vm  — >  M «  V  be  a  clause  in  /C  and 
let  j3  be  an  assignment  of  elements  in  F  to  the  variables. 
Then  the  pair  D,P  corresponds  to  at  least  one  instance  of 
D  in  /C[q.  And,  since  function  application  fp{a\,. . .  ,a„)  in 
F  is  defined  whenever  the  evaluation  ,a„}  of  the 

application  in  I  yields  a  value  in  F,  F  satisfies  /C  such  that 
both  conditions  (i)  and  (ii)  in  the  definition  of  satisfaction 
are  met.  In  other  words,  F  is  a  partial  /C-algebra.  Hence, 
there  exists  a  total  /C-algebra  /'  into  which  F  can  be  embed¬ 
ded.  This  algebra  /'  satisfies  the  equations  Rsf,-,  as  F  does, 
and  since  the  embedding  is  injective,  /'  also  satisfies  556?. 
Altogether,  /'  ^  C,  which  contradicts  the  assumption  that 
/C  |=C.  □ 
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The  preceding  theorem,  in  connection  with  Theorem  5.1, 
strengthen.s  Theorem  2.1  by  also  providing  us  with  a  con¬ 
crete  complexity  bound.  It  also  shows  that  Evans’  approach 
is  subsumed  by  stable  locality.  This  subsumption  is  proper. 
Consider  given  as 

pW~3’,-s(.v)~2  -> 

s{x)K^y,p{y)KZ  ->  2  sax 

Like  Int',  the  presentation  is  stably  local.  How¬ 
ever,  the  two-element  algebra  A  =  {a,h}  with  = 

s/[{b)  —  a  and  p/[  =  0,  the  totally  undefined  function,  triv¬ 
ially  (.strongly)  satisfies  but  cannot  be  weakly  embed¬ 
ded  into  where  s  has  to  be  injective. 

7  Locality  and  Axiomatizable  Clas.ses  of  Re¬ 
lational  Substructures 

Burris’  results  are  based  on  the  view  of  partial  alge¬ 
bras  as  relational  structures.  Remember  that  for  a  signa¬ 
ture  Z  without  predicate  symbols,  by  Z*  we  denote  the  cor¬ 
responding  relational  signature  where  each  /;-ary  function 
symbol  /  in  Z  is  replaced  by  a  « -I-  1-ary  relation  sym¬ 
bol  rC  Z*-clauscs  are  formed  from  the  predicate  sym¬ 
bols  in  Z*,  the  equality  symbol,  and  variables.  Similarly, 
if is  a  Z-algebra,  by  A*  we  denote  its  relational  variant, 
the  Z* -structure  for  which  (ai , . . .  ,a„,a)  if,  and  only  if, 
,a„)  =  a.  If  C  is  an  cquational  Horn  clause  with 
all  equations  of  the  form  /(xi,...  ,Xk)Kx  or  xsey,  with 
variables  x/,  x,  y,  by  C*  we  denote  its  relational  variant 
where  all  equations  f{x\ ,.v^) sex  are  replaced  by  atoms 
rf  (x'l, . . .  ,xii,x).  If  K  is  a  class  of  total  Z-algcbras,  by  S{K’) 
we  denote  the  class  of  full  suhstructures  of  members  of  K‘ , 
that  is  the  class  of  Z* -structures  A*  for  which  there  exists 
an  algebra  B  in  K  such  that  B*  is  an  expansion  of  A*.  On 
the  other  hand,  by  S{K*)  we  denote  the  class  of  weak  suh- 
structures  of  members  of  K* .  This  class  coincides  with 
the  class  of  Z*-structurcs  that  weakly  embed  into  K,  that 
is,  with  {P*  I  P  weakly  embeds  into  an  algebra  /\  G  Af}.  By 
construction  wc  have  S{fC*)  C  (A  full  substructure 

is  obtained  by  intersecting  the  graphs  of  the  functions  in 
a  total  algebra  with  the  chosen  subset  of  its  carrier.  Weak 
substructures  arc  obtained  from  full  substructures  by  mak¬ 
ing  the  functions  even  less  defined.  Hence  there  arc  more 
weak  substructures  than  full  substructures.) 

Theorem  7.1  (Burris  1995)  Let  Mi  be  a  quasi-variety 
over  Z  such  that  there  is  a  finite  set  of  Horn  clauses  H  over 
Z*  with  S{IC*)  C  H  C  5(/C*).  Then  the  uniform  word  prob¬ 
lem  for  K.  is  decidable  in  polynomial  time. 

The  criterion  says  that  if  some  subclass  of  relational  weak 
substructures  of  fC  which  includes  all  full  substructures  is 
finitely  axiomatizable,  the  uniform  word  problem  is  decid¬ 
able  in  polynomial  time.  Wc  will  show  constructively  that 


this  criterion  implies  the  existence  of  a  stably  local  presen¬ 
tation,  and  that,  conversely,  from  a  local  prc.scntation  a  suit¬ 
able  H  can  be  effectively  constructed. 

It  is  not  surprising  that  in  comparing  Burris’  criterion 
with  locality  we  encounter  the  same  technical  problem  with 
constants  as  wc  did  in  Section  6.  Hence  from  now  on  in 
this  section  wc  restrict  the  classes  S(IC*),  H  (the  models  of 
H),  and  S{IC*)  to  structures  in  which  the  relations  r"  arc 
nonempty,  for  every  constant  a  appearing  in  /C.  In  other 
words,  if  A  is  a  partial  algebra  for  which  A*  is  in  any  of 
these  classes,  wc  again  require  that  the  constants  in  K.  be 
defined  in  A. 

Given  a  set  H  of  Z* -clauses,  by  //.  wc  denote  the  set  of 
equational  Z-clauscs  obtained  from  H  by  replacing  atoms 
r^(xi , . . ,  ,x„.x)  by  equations  f{x\ , . . .  ,x<.)  «x.  Clearly,  //* 
is  a  fiat  set  of  clauses,  Note  that  if  A  is  a  partial  Z-algchra, 
then  A*  satisfies  H  if,  and  only  if,  A  (strongly)  satisfies 
H,.  A  has  to  satisfy  the  definedness  requirements  im¬ 
plied  by  Ht  in  order  for  A*  to  satisfy  H.  For  example,  if 
p"{x),p'’(y)  — >•  (x.y)  is  a  clause  in  H,  the  corresponding 
clause  in//,  will  be  (7%x,/>sey  — >• /(x)  sey.  In  order  for  A* 
to  satisfy  p“ix).p^{y)  — >•  /-f  (x.y),  has  to  be  defined  on 

with  fA{a,\)  =  hA. 

Theorem  7.2  Let  H  be  a  set  of  Z*-clauscs  with  S{K,*)  C 
H  C  S{K*).  Then  //,  is  a  stably  local  presentation  of  the 
quasi-variety  K. 

Proof.  First  wc  show  that  the  class  of  algebras  satisfying 
//,  coincides  with  AT.  If  A  |=  //.  then  A*  |=  //,  and  there¬ 
fore,  A*  is  in  5(AC*).  Hence  A  can  be  weakly  embedded 
into  an  /C-algcbra  B.  In  other  words,  A  is  isomorphic  to  a 
Mf-subalgebra,  hence  is  a  Mi-algebra  itself. 

Conversely,  suppose  that  A  is  in  Mi.  Then  A*  i.sin5(Mi’), 
so  that  A*  i=  H.  hence.  A\=  H,. 

Now  wc  show  that  //,  is  stably  local.  According  to  Theo¬ 
rem  6.4  wc  have  to  show  that  every  finite  partial  //.-algebra 
A  weakly  embeds  into  //..  Let  such  an  algebra  A  be  given. 
As  A*  1=  //  and  as  H  C  S(Mi*),  the  embedding  property  for 
A  follows.  □ 

Conversely,  from  a  local  theory  Mi  wc  can  obtain  a  finite 
axiomatization  H/z  satisfying  5(Mi*)  C  Hx:  C  5(Mi*).  Wc 
may  assume  that  Mi  is  flat  and  linear.  (Otherwise,  apply¬ 
ing  Proposition  4.1,  wc  may  replace  Mi  by  Mifiin,  with  MifUn 
the  set  of  flat  and  linear  instances  of  Mi.)  Now  define  H/c 
to  be  the  union  of  Mi*  and  the  set  of  uniqueness  clauses 
r^(.vi ....  ,.v„.y),rf  (xi , . . .  ,.v„,c)  ->  y  for  the  relations. 

Theorem  7. .5  With  H/z  as  defined  above,  if  Mi  is  a  local 
theory,  then  5(Mi*)  C  Hk  C  5(M‘). 

Proof  Clearly,  all  full  substructures  of  Mi*  satisfy  //x'. 
Moreover,  if  z\*  \=  //x,  then  A  is  in  particular  a  partial  Mi- 


88 


algebra.  By  Theorem  6. 1 ,  any  such  A  weakly  embeds  into 
1C,  hence  A  is  in  5(/C*).  □ 

8  Conclusion  and  Further  Remarks 

In  this  paper  we  have  established  close  relationships  be¬ 
tween  the  approaches  by  Evans,  Burris  and  McAllester  to 
capture  polynomial  time  computation  in  the  context  of  uni¬ 
form  word  problems.  The  criteria  by  Evans  and  Burris  are 
essentially  semantic,  relating  functional  and  relational  mod¬ 
els  of  given  presentations.  Local  inference  (McAllester’s 
approach)  and  stable  locality  (our  variant  of  this  concept) 
are  notions  which  are  more  proof-theoretic  in  nature.  It 
was  interesting  to  see  how  closely  related  these  approaches 
are.  We  have  shown  that  both  Evans’  and  Burris’  criteria  lie 
in  between  the  two  variants  of  locality.  The  inclusions  are 
proper  (at  least  for  Evans’  approach,  for  Burris’  we  do  not 
know  yet).  In  particular  the  concept  of  stably  local  theories 
subsumes  Burris’  method  (which  in  turn  subsumes  Evans’ 
method),  and  the  subsumption  is  strict  for  the  Evans  case. 

8,1  Explicit  Definedness  Predicates 

The  reason  why  [stable]  locality  and  the  other  two  ap¬ 
proaches  are  not  quite  equivalent  is  intimately  related  to  the 
definedness  requirements  for  partial  functions  that  partial 
^-algebras  or  full  substructures  of  K.*  have  to  satisfy.  For 
the  subclass  of  presentations  for  which  the  definedness  re¬ 
quirements  are  void,  we  were  able  to  establish  equivalenee 
of  locality  and  Evans’  criterion.  Definedness,  however,  is  a 
semantic  concept  that  is  not  so  easily  captured  syntactically. 
Only  those  clauses  for  which  the  antecedent  is  satisfiable 
contribute  to  definedness  properties. 

The  following  approach  should  work  to  simulate  some 
of  these  effects  in  the  framework  of  stable  locality.  Trans¬ 
form  any  given  K.  by  replacing  clauses  such  as  — > 

/(«)  «g(v)  by  (read  “£)(x)”  as  “x  is  defined”) 

D(s),D(t),D(u),D(g(v)),sKt  ->■  D(f(u)) 

D{s),D{t),D{u),D{f{u)),sKt  ->  D{g{v)) 

D{s),D{t),D{fiu)),Digiv)),s^t  ^  /(«)«g(v) 

internalizing  the  notion  of  satisfaction  for  partial  algebras. 
(The  general  case  of  the  transformation  should  be  obvious.) 
Let  denote  the  result  of  that  transformation.  Call  1C 
“Evans”-local  if  for  every  ground  clause  C  =  T  ->  e  we  have 
KP[C\{JT\JD[C]  1=  e  whenever  /C  [=  C,  with  £)[C]  the  set 
of  facts  D{t),  for  each  subterm  t  in  C  and  constant  t  in  K. 
Like  in  stable  locality,  we  may  use  substitution  instances  of 
theory  clauses  where  variables  are  sent  to  subterms  of  C  or 
constants  in  /C.  However,  because  of  using  the  transformed 
clauses,  we  may  additionally  only  compute  with  those  terms 
in  ^[c]  thnt  are  semantically  equal  to  a  subterm  of  the  query 
or  to  a  constant  in  /C.  Int'  is  an  example  of  a  presentation 
that  is  Evans-local. 


Evans-locality  should  be  equivalent  to  Evans’  criterion, 
but  since  its  definition  is  somewhat  awkward  and  since  it 
is  not  clear  how  to  design  good  recursively  enumerable  ap¬ 
proximations  of  the  concept,  we  have  not  yet  investigated 
this  claim  in  more  detail. 

8.2  Applications 

It  might  be  possible  to  exploit  the  relation  between  the 
semantic  and  proof-theoretic  concepts  for  mutually  trans¬ 
ferring  further  techniques.  In  particular,  certain  (yet  to  be 
established)  amalgamation  properties  for  algebras  would  in¬ 
duce  combination  results  for  local  theories  over  disjoint  vo¬ 
cabularies. 

Let  P  be  any  partial  /C-algebra.  Let  T{P)  =  Ti{P)lEp, 
that  is,  the  free  (total)  E-term  algebra  generated  over  P, 
modulo  the  congruence  Ep  generated  by  the  identities  in  P, 
that  is,  the  equations  oq ~  f{ai ,■■■  ,a„)  such  that  a,  is  in  P 
and  <20  =  /p(ai,  -  •  • ,««)  holds  in  P.  We  can  turn  T{P)  into  a 
/C-algebra  by  dividing  by  the  intersection  K  of  all  kernels  of 
homomorphisms h:T{P)^AelC.  Let F{P,  1C)  =  T{P) /K. 
A  specific  case  of  a  much  more  general  result  proved  by 
Burmeister  (1986)  is  this  universal  property  of  F{P,fC): 

Theorem  8.1  (Burmeister  1986)  F(P,/C)  is  a  /C- 

algebra,  and  for  any  weak  homomorphism  h  from  P 
into  a  /C-algebra  B  there  is  a  unique  homomorphism 
h  :  F{P,K)  B  such  that  h  =  hon,  with  k  :  P  ^  F{P,K) 
the  canonical  weak  homomorphism  sending  any  element  of 
P  to  its  congruence  class  under  K. 

The  theorem  asserts  that  F{P,IC)  is  the  free  (total)  IC- 
algebra  generated  by  the  partial  E-algebra  P. 

Corollary  8.2  If  P  weakly  embeds  into  K.  then  the 
canonical  weak  homomorphism  n  :  P  ^  P{P,IC)  is  injec¬ 
tive. 

Hence,  whenever  a  partial  algebra  P  weakly  embeds  into 
/C  it  specifically  also  weakly  embeds  into  its  free  extension 
F{P,)C),  a  fact  already  observed  by  Evans  (1951). 

Suppose  now  that  we  have  two  flat,  linear,  and  superfi¬ 
cial  local  theories  fC]  and  IC2  over  disjoint  signatures  Ej  and 
E2  respectively.  We  want  to  show  that  the  union  /Cj  U  /C2  is 
also  local.  One  way  to  do  this  is  to  utilize  the  methods  in 
(Nelson  <&;  Oppen  1 979)  for  combining  decision  procedures. 
An  algebraic  proof  might  be  obtained  via  an  amalgamation 
construction  similar  to  the  one  given  by  Baader  &  Schulz 
(1998)  for  proving  decidability  of  the  combination  of  cer¬ 
tain  unification  problems. 

We  need  to  show  that  every  finite  partial  ICi  U/C2-algebra 
P  weakly  embeds  into  /Cj  U/C2,  and  then  apply  the  theo¬ 
rem  6.3,  Given  P,  forget  the  operations  in  E2  and  Ei,  re¬ 
spectively,  yielding  a  partial  A:)] -algebra  Pi  and  a  partial 
/C2-algebra  P2.  As  the  given  theories  are  local,  these  al¬ 
gebras  weakly  embed  into  the  free  constructions  F{Pi,)Ci) 
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and  F{P2,IC2),  respectively.  We  believe  that  one  can  now 
amalgamate  F{P[,IC[)  and  F{P2,K2)  into  a  single  K.\ U/C2- 
algebra  into  which  P  weakly  embeds  to,  but  the  details  have 
not  been  worked  out  yet. 
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Abstract 

tVfe  provide  a  semantic  framework  for  (first  order) 
message-passing  process  calculi  by  combining  categorical 
theories  of  abstract  syntax  with  binding  and  operational 
semantics.  In  particular,  we  obtain  abstract  rule  formats 
for  name  and  value  passing  with  both  late  and  early  inter¬ 
pretations.  These  formats  induce  an  initial-algebra/final- 
coalgebra  semantics  that  is  compositional,  respects  substi¬ 
tution,  and  is  fully  abstract  for  late  and  early  congruence. 
We  exemplify  the  theory  with  the  it-calculus  and  value¬ 
passing  CCS. 


Introduction 

A  complete  description  of  the  semantics  of  a  program¬ 
ming  language  requires  both  an  operational  semantics  de¬ 
scribing  the  behaviour  of  programs  in  terms  of  elementary 
steps  and  a  more  abstract  denotational  semantics  describing 
the  meaning  of  a  program  in  terms  of  its  components  [32]. 
In  the  study  of  process  calculi  for  concurrency  (such  as 
CCS  [25],  CSP  [19],  and  ACP  [4])  less  emphasis  is  placed 
on  denotational  models  and  more  on  notions  of  behavioural 
equivalence,  and  on  bisimulation  equivalence  [25]  in  partic¬ 
ular.  Still,  for  the  operational  semantics  to  be  well-behaved, 
one  requires  that  the  chosen  notion  of  behavioural  equiva¬ 
lence  be  a  congruence  with  respect  to  the  constructs  of  the 
language. 

To  establish  congruence  results  for  behavioural  equiva¬ 
lences  it  is  convenient  to  define  the  operational  semantics  in 
terms  of  structural  rules,  i.e.,  Plotkin’s  SOS  rules  [29].  Cor¬ 
respondingly,  much  work  has  been  done  in  order  to  iden¬ 
tify  SOS  rule  formats  [10,  6,  17,  14]  for  which  (strong) 
bisimulation  is  a  congruence  -  the  most  well-known  be¬ 
ing  GSOS  [6].  However,  such  formats  are  hard  to  find  and 
even  harder  to  extend.  Little  or  no  success  at  all  has  been 
gained,  e.g.,  in  obtaining  formats  for  more  sophisticated 
process  calculi  than  the  above  mentioned  ones  -  process 
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calculi  with  variable  binding  (like  value-passing  CCS  [26] 
and  the  rr-calculus  [27])  in  particular.  The  present  paper 
addresses  this  very  problem. 

The  solution  we  offer  is  based  on  understanding  the 
mathematical  structure  underlying  syntax  and  semantics  of 
message  passing  processes.  The  formats  we  obtain  are  ab¬ 
stract  and  require  a  fair  amount  of  category  theory.  How¬ 
ever,  concrete,  syntactic  formats  can  be  distilled  from  them 
and  this,  indeed,  will  be  the  next  step  of  our  investigation. 

The  starting  point  for  our  work  lies  in  [35],  where  a  cat¬ 
egorical  rule  format  is  defined  in  terms  of  functorial  notions 
S  and  B  of  syntax  and  behaviour  familiar  from  initial  alge¬ 
bra  [16]  and  final  coalgebra  [1,  36]  semantics.  This  format 
is  given  by  transformations 

T,{X  y.  BX)-^BTX  (1) 

natural  in  the  parameter  X  (to  be  thought  of  as  a  generic 
set  of  meta- variables  used  in  the  rules),  where  T  is  the  term 
monad  associated  to  the  signature  E,  i.e.,  TX  =  pY.  X  -\- 

sy. 

The  type  in  (1)  arises  from  giving  to  each  operator  of 
arity  n  of  the  signature  a  natural  transformation 

{X  X  JSX)”  BTX  (2) 

describing  the  overall  behaviour  of  the  operator  in  terms  of 
the  behaviour  of  its  arguments.  This  abstract  format  corre¬ 
sponds  to  GSOS  when  B  is  taken  to  be  the  functor  on  Set 
whose  coalgebras  are  finitely  branching  labelled  transition 
systems,  i.e., 

BX  =  Pi{L  X  X)  (3) 

where  I,  is  a  finite  set  of  labels  and  Pf  is  the  finite  powerset 
functor.  In  this  case,  the  domain  {X  x  Pf(L  x  X))"  and 
the  codomain  Pf{L  x  TX)  of  the  map  in  (2)  correspond, 
respectively,  to  the  premises  and  the  conclusions  of  GSOS 
rules  for  the  operator.  Interestingly,  naturality  accounts  ex¬ 
actly  for  the  GSOS  restrictions  on  the  occurrences  of  vari¬ 
ables  in  the  rules. 

Any  natural  transformation  of  type  (1)  has  the  property 
that  the  coalgebraic  behavioural  equivalence  associated  to 
B  (which  in  the  above  case  coincides  with  bisimulation  [2]) 
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is  a  congruence  with  respect  to  the  operators  of  the  syntax 
E.  This  is  a  corollary  of  the  more  general  fact  that  rules 
in  the  format  (1)  induce  a  denotational  semantics  which  is 
adequate  in  the  sense  that  it  is  fully  abstract  with  respect  to 
behavioural  equivalence. 

The  above  result  is  independent  from  the  choice  of  cat¬ 
egory  and  functors,  provided  they  have  enough  structure 
and  properties.  Here  wc  exploit  this  generality  in  order  to 
find  formats  for  process  calculi  with  variable  binding.  To 
this  end,  we  first  had  to  give  a  functorial  notion  of  syntax 
with  binding.  This  was  one  of  the  main  motivations  for 
the  work  in  [13],  where  wc  moved  from  sets  to  variable 
sets.  There,  variable  sets  are  taken  to  be  functors  (called 
covariant  presheaves)  from  a  category  of  contexts  to  Set; 
the  category  of  contexts  used  is  the  category  F  of  finite  car¬ 
dinals  (i.e.,  sets  of  variables)  and  all  functions  (i.e.,  renam¬ 
ings).  Most  importantly,  there  exist  a  distinguished  prcshcaf 
V  of  variables  and  a  differentiation  functor  S  =  (_)'^  on 
presheaves.  The  latter  is  used  to  model  variable  binding 
with  arity  V:  for  a  prcshcaf  X,  the  elements  of  SX  in  con¬ 
text  n  arc  simply  the  elements  of  X  in  the  context  ?r  -f  1 
containing  an  extra  variable  -  the  variable  to  be  bound. 

We  have  now  to  find  the  right  notions  of  behaviour  B  for 
name  and  value  passing.  Let  us  start  from  name  passing, 
where  the  two  most  natural  notions  of  behavioural  equiv¬ 
alence  arc  late  and  early  bisimulation  [27].  These  arc  not 
congruences  for  the  rr-calculus  though;  one  then  consid¬ 
ers  the  late  and  early  congruences  instead  [27],  obtained  by 
closing  bisimulation  under  renamings  (i.e.,  the  maps  of  F). 

Previous  (implicitly)  coalgcbraic  work  on  name  pass¬ 
ing  [12,  33]  was  based  on  a  functor  B  whose  associated 
behavioural  equivalence  turns  out  to  be  late  bisimulation. 
This  functor  B  lives  in  the  category  of  presheaves  over  the 
category  I  of  name  contexts  allowing  only  injective  renam¬ 
ings.  Surprisingly,  the  natural  extension  of  such  B  to  the 
category  of  presheaves  over  F  yields  a  new  behaviour  B 
whose  associated  equivalence  is  exactly  late  congruence. 

Wc  arc  also  able  to  solve  the  pioblcm  left  open  in  [  1 2, 33] 
of  giving  a  denotational  semantics  fully  abstract  with  re¬ 
spect  to  early  bisimulation  by  introducing  a  new  behaviour 
whose  associated  equivalence  is  early  bisimulation'.  The 
extension  of  such  behaviour  to  the  presheaves  over  F  has 
early  congruence  as  associated  equivalence.  Therefore,  the 
desired  formats  for  early  and  late  congruences  live  in  the 
category  of  presheaves  over  F  and,  for  instance,  rules  for 
unary  binding  will  be  of  type 

{X-xBXY-^BTX  (4) 

where  B  can  be  the  extended  behaviour  for  either  late  or 
early  congruence. 

'See  also  [28]  for  a  different  coalgebraic  appro.ach  to  early  (and  late) 
bisimulation  and  [8]  for  a  domain  equation  for  early  bisiinulaiion  in  ihc 
framework  of  presheaf  models. 


For  value  passing,  we  also  give  late  and  early  behaviours, 
which  are  variations  (cf.  [20])  of  the  behaviour  in  (3).  How¬ 
ever,  in  order  to  model  input  rules  wc  have  to  take  into 
account  the  substitution  structure  present  in  value-passing 
calculi,  i.e.,  the  homogeneous  substitution  of  messages  in 
messages  and  the  heterogeneous  substitution  of  messages 
in  processes.  (For  name  passing  this  is  not  needed  because 
substitution  is  just  renaming,  hence  it  is  already,  though  im¬ 
plicitly,  part  of  the  category  of  presheaves  over  F.) 

The  categorical  framework  for  homogeneous  substitu¬ 
tion  was  developed  in  [  1 3].  One  considers  a  monoidal  struc¬ 
ture  on  presheaves  with  unit  V.  A  prcshcaf  X  •¥  can 
be  thought  of  has  having  elements  given  by  pairs  of  an  cle¬ 
ment  of  X  together  with  a  substitution  consisting  of  a  tuple 
of  elements  of  Y.  One  then  takes  the  notion  of  homoge¬ 
neous  substitution  on  a  prcshcaf  M  to  be  a  monoid  structure 
V  M  ^  M  •  M. 

Here,  in  order  to  model  the  heterogeneous  substitution 
of  elements  of  a  monoid  M  in  elements  of  a  prcshcaf  X, 
wc  need  to  go  one  step  further  and  consider  monoid  ac¬ 
tions  X  •  M  — X.  Correspondingly,  the  modelling  of 
rules  takes  place  in  the  category  of  actions  of  the  monoid  of 
messages.  Therefore,  wc  need  then  to  lift  signatures  with 
binding  E  and  extend  behaviours  B  to  functors  E  and  B  on 
such  category. 

In  general,  wc  have  primitive  notions  E  and  B  living  in 
different  categories,  of  syntax  S  and  behaviour  B  rc.spcc- 
tivcly,  while  the  rules  live  in  yet  another  category  A  of  sub¬ 
stitutions  (e.g.,  monoid  actions).  These  categories  are  re¬ 
lated  by  adjunctions: 

5  B 

o 

A  5  T  B  (5) 

CJ 

The  lifting  of  the  E  on  5  to  a  E  on  .4  is  done  by  means  of  a 
distributive  law  over  the  monad  induced  by  the  monadic  ad¬ 
junction  A  T  ^  S,  while  the  behaviour  B  on  A  is  ob¬ 
tained  by  (right)  extending  B  on  B  along  the  composite 
adjunction  A  t  B.  These  constructions  yield  lift¬ 
ings/extensions  as  follows: 

E-Alg - ^  E-AIg  B-Coalg - ^  B-Coalg 


A - ^5  A - ^B 

The  abstract  rule  format  ensuring  that  behavioural  equiv¬ 
alence  is  a  congruence  consists  then  of  natural  transforma¬ 
tions  of  type 

T.{X  xBX)-^m'X  (6) 
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For  name  passing  the  actions  of  the  monoid  of  variables 
are  simply  presheaves  on  F,  hence  E  is  equal  to  E.  For 
the  original  GSOS  case  of  [35],  with  no  variable  binding, 
all  three  categories  collapse  to  the  category  of  sets,  hence  E 
and  B  are  equal  to  E  and  B  respectively  and  we  recover  (1). 

The  next  obvious  step  for  our  work  is  to  characterise  the 
categorical  rule  formats  for  name  and  value  passing  pro¬ 
posed  in  this  paper  in  elementary  syntactic  terms.  The  rule 
formats  so  obtained  will  certainly  not  be  as  in  [5],  where 
binding  and  substitution  are  defined  within  the  rules  rather 
than  treated  at  the  syntactic  level.  For  value  passing,  our 
categorical  rule  format  seems  to  be  related  to  a  syntactic 
format  proposed  in  [30],  The  relationship  with  the  format 
of  [15]  for  which  a  conservative  extension  property  holds 
should  also  be  investigated. 

Another  aspect  we  would  like  to  consider  is  recursion. 
At  present  we  would  deal  with  guarded  recursion  follow¬ 
ing  [34],  but  it  would  be  interesting  to  deal  with  unguarded 
recursion  along  the  lines  of  [31],  hence  working  with  vari¬ 
able  epos  instead  of  variable  sets. 

Finally,  there  seems  to  be  a  tight  correspondence  be¬ 
tween  the  coalgebras  of  our  new  behaviour  for  early  bisimu¬ 
lation  and  the  indexed  labelled  transition  systems  of  [7].  We 
would  like  to  investigate  this  for  sheaves  (in  the  Schanuel 
topos)  rather  than  presheaves  over  I. 

1.  Basic  syntactic  and  semantic  structures 

1.1.  Expressions 

Syntax.  Consider  the  following  abstract  grammar  of  ex¬ 
pressions  for  integers 

e  X  \  z\  Cl  plus  e-z  \  e\  minus  ez  (7) 

where  x  ranges  over  a  countable  list  of  variables  (f  €  N) 
and  z  over  the  set  of  integers  Z. 

Following  [13],  we  consider  terms  in  a  context,  so  that 
we  can  stratify  expressions  into  a  family  {  }„gN  of  sets 
indexed  by  natural  numbers  (indicating  the  number  of  vari¬ 
ables  in  the  context).  The  set  £)„  consists  of  the  expressions 
with  at  most  n  (canonical)  free  variables  (typically  denoted 
by  xi, . . , ,  x„).  Thus,  {  En  jnSjN  is  the  least  solution  of  the 
equations 

{  =  {  Xi ,  .  .  .  ,  X„  }  -t-  Z  -f-  +  Xr^  }n6N  (8) 

Semantics.  We  write  E  |e]  „  for  the  interpretation  of  an  ex¬ 
pression  e  in  the  context  xj , . . . ,  x„;  that  is,  for  the  function 


Z"  — Z  defined  compositionally  as  follows: 

1.  r5|xj|„  =  TTj  projection,  1  <  t  <  n) 

2.  £fz|„  =  Ax.z  (constant  function  z) 

3.  f  fei  plus  ezjn  =  Ax.(F|ei]„(x)  -f  F|e2]n(x)) 

4.  £:|eiminuse2]ri  =  Ax.(5|eil„(x)  -  f  |e2lri(x)) 

This  interpretation  is  an  initial  algebra  semantics.  In¬ 
deed,  the  semantic  domain  given  by 

{Set(Z",Z)}„6N  (10) 

where  Set(5,  S')  denotes  the  set  of  functions  from  a  set  S 
to  a  set  S',  has  a  (pointwise)  algebra  structure  given  by  the 
evident  maps 

{  xi, . . . , x„  }  — ^  Set(Z",  Z) 

Z-^Set(Z”,Z) 

(11) 

Set(Z”,  Z)2  S  Set(Z",  Z^)  ^  Set(Z",  Z) 

Set(Z",  Z)2  S  Set(Z",  Z^)  — ^  Set(Z",  Z) 

and 

£  =  {£Un-En^Set{Z'^,Z)}nm  (12) 

is  the  unique  algebra  homomorphism  from  {  En  }neN  to 
{  Set(Z”,  Z)  }n€N- 

1.2.  Presheaves 

Categorically,  families  {  }„gN  of  sets  are  functors 
A  :  N  — ^  Set 

where  N  is  the  discrete  category  of  natural  numbers  or, 
equivalently,  finite  cardinals.  Since  we  regard  a  finite  cardi¬ 
nal  n  as  a  context  of  n  variables,  a  function  p  :  n  — ^  m  can 
be  seen  as  a  renaming  of  variables.  In  order  to  model  weak¬ 
ening,  contraction,  and  exchange  rules  for  contexts  we  need 
to  use,  instead  of  the  discrete  category  N,  the  category  F 
of  finite  cardinals  and  all  functions  (cf.  [13]).  Correspond¬ 
ingly,  we  consider  functors 

A  :  F  ^  Set 

i.e.,  (covariant)  presheaves  over  F.  Thus,  we  will  be  work¬ 
ing  with  families  {  A„  }„gN  of  sets  equipped  with  an  action 
that  associates  every  x  6  A„  (i.e.,  an  element  of  A  at  stage 
n)  and  every  renaming  p  :  n  — m  with 

X[p\  =  X{p){x)  e  Xm 

Presheaves  over  F  form  a  category  Set**^,  with  natural  trans¬ 
formations  as  morphisms. 


Syntax.  The  family  {  }neN  with  action 

e\p]  =  /x„l  {p  :  n-^m) 

given  by  variable  renaming  defines  a  presheaf  £" ;  F  Set. 
This  presheaf  is  the  least  solution  of  the  equation 

X  =  V  +  K.-i  +  X'^  + 

in  Set*^  (ef.  (8)),  whore  the  presheaf  of  variables 

y  :  F  ^  Set  ,  V;  =  n  =  {  .xi , . . . ,  x„  } 

is  the  inclusion  of  F  into  Set  and  Xz  is  the  constantly  Z 
presheaf.  Hence  E  is  the  free  E-algebra  //Y.  V  +  EF  over 
the  presheaf  of  variables  V,  where 

E  :  Set'^  Set”" ,  HX  ^  Z  +  X^  +  X^ 

is  the  endofunctor  on  presheaves  associated  to  the  operators 
on  expressions. 


Syntax  with  binding.  In  the  algebraic  treatment  of  bind¬ 
ing  of  [13],  binding  operators  are  modelled  using  the  differ¬ 
entiation  operator 

6  :  Set^  — ^  Set*''  ,  (rtY),,  =  +  i 

(For  details,  including  initial  algebra  semantics,  con¬ 
sult  [13].) 

Pi-calculus.  The  following  grammar  for  (a  fragment  of)  the 
TT-calculus 

t  0  I  ti\t2  I  x{y).t  \  xy.t  \  {x)f  \  [x  =  y]t 

corresponds  to  the  signature  endofunctor 

E.Y  =  1  -f  A'  X  Y  -f-  1/  X  YY  -f  F  X  F  X  X 
-hYY  +  FxFxX 

on  Set  .  Indeed,  its  initial  algebra 

TO  S  1  -f  TO  xTO  +  V  X  SrO  +  F  x  F  x  I’O 
-t-  STO  +  V  X  V  X  'TO 


Semantics.  Also  the  semantic  domain  for  expres¬ 
sions  (10)  has  a  presheaf  structure.  Indeed,  for  any  object 
C  of  a  cartesian  category  C,  we  have  a  functor 

— Set^  {C,D)„=C{C’\D)  (13) 

The  prcshcaf  (C,  D)  can  be  thought  of  as  the  preshcaf  of 
mappings  from  environments  of  type  C  to  results  of  type 
D.  Formally,  at  stage  ?r,  it  consists  of  the  set  of  morphisms 
in  C  from  C”  to  D  with  action 

f[p]  =  f  O  (ttpi,. . .  ,Trp„) 

In  particular,  taking  C  =  Set  and  C  =  D  —  Z  vjc  obtain 
thepresheaf  (Z,  Z)  with  underlying  family  of  sets  as  in  (10). 

The  copairing  of  the  maps  in  (11)  gives  a  E-algcbra 
structure 

E(Z,  Z)  =  /Cz  +  (Z,  Z)2  +  (Z.  Z)2  — ^  (Z, Z)  (14) 

on  (Z ,  Z)  that  induces  the  initial  algebra  semantics 
£  -.E-^iZ.Z) 

of  ( 1 2).  Note  that  the  naturality  of  £  amounts  to  the  identity 

£\  /xi  1  •  •  •  F'”'  / X„  ]  •  7  ^77))  ^ 

~  j  ■  ■  ■  1  t:pn) 

for  all  p  :  n  — ^  m. 


is  the  prcshcaf  of  7r-calculus  terms:  at  stage  n  it  is  the  set  of 
(o-cquivalcncc  classes  of)  terms  with  at  most  n  (canonical) 
free  variables,  with  action  given  by  variable  renaming. 

Value-passing  CCS.  We  will  consider  the  following  frag¬ 
ment  of  CCS  passing  expressions  r  as  in  (7)  along  a  finite 
set  of  channels  c  €  C: 

t::=0  \  ii\t2  !  c:?{x).t  \  c\{c).t  \  [01=02]^ 

This  grammar  has  associated  signature  endofunctor 

E/.;A'  =  1  -f  X  X  A  -f  Yr  X  tSA 

-t-  K-c’  xExX  +  ExExX 

on  Set' ,  where  Xr  is  the  constantly  C  prcshcaf. 

More  generally,  we  have  a  signature  bifunctor  E  : 
Set^"  X  Set''"  — ^  Set"' 

E(i\/,  A)  =  1  -t-  A  X  A  4-  Xr  X  6X 

+  Xc  X  AI  X  X  +  M  X  M  X  X  ^ ^ 

parametric  in  the  prcshcaf  of  messages  being  passed. 

1.3.  Substitution 

Clones.  We  have  seen  that  besides  the  operators,  the  se¬ 
mantics  £  al.so  respects  variable  renaming  (sec  (9)  and  (15)). 
However,  £  respects  substitution  in  the  stronger  form  of  sat¬ 
isfying  the  .semantic  substitution  lemma: 

£lcr/x,.---X'  /r..]U 

f|f]„  o(£:|ci|, f|r„l,„) 
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In  other  words,  £  is  not  only  an  algebra  homomorphism  but 
also,  as  we  explain  below,  a  clone  homomorphism. 

Recall  that  an  (abstract)  clone  [9,  page  132]  X,  consists 
of  a  family  {  }„gN  of  sets,  a  family 

{  e  Xn  I  1  <  r  <  n  }neN 


of  distinguished  elements,  and  a  family 


Xm  }n 


mGN 


of  operations  such  that,  for  every  element  t  of  Xn,  every 
n-tuple  u  =  (ui, . . . ,  u„)  of  elements  of  Xm,  and  every 
m-tuple  V  of  elements  of  Xi,  the  following  three  axioms 
hold: 


b'miyi,  —  tli  fln(t]  Ui,  ,  On)  —  t 


(19) 


This  tensor  product  and  variations  thereof  play  a  crucial  role 
in  this  paper;  they  arise  from  the  following  general  situa¬ 
tion  (see,  e.g.,  [23, 1.5]): 


where  C  is  cartesian  and  cocomplete  and  where  denotes 
the  cartesian  extension  of  C. 

Proposition  1.1  1.  For  C  and  V  cartesian  and  cocom¬ 

plete  categories,  and  F  :  C  — ^  V  a  cartesian  functor 
with  a  right  adjoint,  we  have  a  canonical  natural  iso¬ 
morphism 

_»FC  ^  F{_»C) 

for  all  C  e  C. 


An  homomorphism  h  :  X  — ^  X'  between  clones  is  a  fam¬ 
ily  {  hn  .  Xn  ^  Xn  }n6N  of  functions  that  respects  the 
clone  structure. 

The  clone  structure  on  the  family  {  }„g[^  of  expres¬ 

sions  is  given  by  the  variables  a:,  (1  <  i  <  n)  in  and  by 
the  simultaneous  substitution  of  expressions  for  expressions 

En  X  (EmT  Em 

(e;  ej , . . . ,  e„)  i  ^  e  , . . .  /x„] 

(The  three  axioms  in  (19)  amount  to  the  familiar  proper¬ 
ties  of  substitution.)  For  the  semantic  domain  (Z,Z),  the 
clone  structure  is  given  by  projections  and  function  compo¬ 
sition  (together  with  pairing).  In  fact,  for  every  object  C 
of  a  cartesian  category  C,  one  can  form  the  clone  of  oper¬ 
ations  {C,  C)  on  C,  with  given  by  the  projection 
TTj  :  C"  — 5-  C  and  pm'^  by  the  map 

C(C",C)  X  C(C'",C)"  ^  C{C^,C) 

Thus,  with  respect  to  the  above  clone  structures,  the  re¬ 
quirement  that  the  semantics  5  be  a  clone  homomorphisms 
amounts  to  the  identity  (9.1)  and  the  semantic  substitution 
lemma  (18). 

Monoids.  The  clone  structure  has  equivalent  representa¬ 
tions  as  either  of  the  following:  finitary  monads  on  Set, 
Lawvere  theories,  substitution  algebras  [13,  Theorem  3.3], 
or,  most  importantly  for  this  work,  monoids  in  the  monoidal 
closed  category  (Set'*^,  •jV)  [13,  Proposition  3.4],  where 
the  monoidal  product  is  defined  by  the  following  coend: 

{X»Y)m=  /  Xnx{Ym)^  (m  G  F)  (20) 


2.  For  a  cartesian  and  cocomplete  category  C  such  that, 
for  all  C  E  C,  the  functor  _  x  C  is  cocontinuous,  we 
have  the  following  equivalence  of  categories 

C  ~  CarCoc(Set'’^,C) 

C  ^  _*C 
FV  ^  F 

where  CarCoc  is  the  category  of  cartesian  and  cocon¬ 
tinuous  functors,  and  natural  transformations.  □ 

Corollary  1.2  For  every  X  e  Set’’^  and  C  €  Set*^,  there 
are  canonical  natural  isomorphisms  as  follows 

(-•X)»c  S  _»(X»C) 

(X,(C,_}}  ^  (X.c,_}  □ 

In  this  paper  we  will  exclusively  consider  the  above  ten¬ 
sor  construction  when  C  =  Set'^,  for  some  small  category 
C  (see  [23,  VII. 2  and  VIII. 4]  for  a  general  discussion  in  the 
context  of  topos  theory).  In  this  case,  the  tensor  X  •  C  (for 
X  €  and  C  S  Set'^)  has  the  following  elementary 
description 

(X<.C)m  =r^^A„x(C„)" 

[m  e  (L) 

=  (UneN  ^ 

where  w  is  the  equivalence  relation  generated  by 

(x,  Cpi ,  ,  Cpn  )  ~  (x  [p] ,  Cl ,  .  .  .  ,  Cn' )  (p  .  Ti  Tl  ) 

Note  that  in  particular  taking  C  =  F  and  C  =  Y  e  Set"^ 
we  obtain  the  tensor  (20)  on  Set*^.  We  will  also  use  the  case 
where  C  =  1  (the  terminal  category),  hence  C  =  Set  and 
C  is  a  set  S: 

pn&F 

X  •  5  =  /  X„  X  5" 
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As  mentioned  above,  the  categories  of  clones  and 
monoids  in  (Set**^,  •,  V)  arc  equivalent,  hence  the  seman¬ 
tics  £  :  E  — ^  (Z,Z)  is  both  a  E-algcbra  homomor¬ 
phism  and  a  monoid  homomorphism.  In  fact,  by  Theo¬ 
rem  4.1  of  [13],  the  presheaf  of  expressions  E  is  the  initial 
object  in  the  category  of  T,-monoids  (consisting  of  compat¬ 
ible  E-algcbra  and  monoid  structures  with  corrc.sponding 
homomorphisms).  And,  as  the  E-algcbra  structure  in  (14) 
for  the  clone  of  operations  (Z.Z)  is  compatible  with  the 
clone/monoid  structure  of  (Z,Z),  the  semantics  £  is  the 
unique  E-monoid  homomorphism  from  £  to  (Z,  Z). 

1.4.  Categorical  operational  semantics 


on  Set,  where  the  components  of  the  sum  respectively 
model  input,  output,  and  silent  actions.  (Cf.  [20].) 

With  respect  to  this  behaviour  functor,  coalgcbraic 
bisimulation  corresponds  to  late  bisimilarity.  Indeed,  a 
coalgebra  h  :  S  — BS  induces  the  late  transition  relation 

S  /  iff  (r,  /)  e  h{s)  iceC,seS,f  £  S^) 

s  — ^  s'  iff  (c,  V,  s')  £  h{s)  (c  £  C,  u  £  V,  s,  s'  £  5) 
s  — ^  s'  iff  s'  £  h(s)  (s,  s'  £  A) 
that  provides  a  characterisation  of  coalgebraic  bisimulation 
in  familiar  terms  (see  [21])  as  follows. 

Proposition  2.1  The  following  data  are  equivalent. 


It  is  shown  in  [35]  that  operational  rules  of  the  form  (1) 
for  signature  and  behaviour  cndofunctors  E  and  B  on  a  bi- 
cartesian  category  C  induce  a  compositional  semantics  hav¬ 
ing  the  (full  abstraction)  property  that  two  terms  have  the 
same  meaning  if  and  only  if  they  are  bisimilar,  provided 
that  (I)  the  forgetful  functor  B-Coalg  — C  has  a  right  ad¬ 
joint  (hence  a  final  coalgebra  exists),  and  (/(')  the  behaviour 
B  preserves  weak  pullbacks.  The  main  tool  we  use  to  es¬ 
tablish  (0  for  the  behaviours  in  the  present  paper  is  the  fol¬ 
lowing. 

Proposition  1.3  (Sec  [24,  3])  For  a  finitary  (resp.  ac- 
ce.ssiblc)  endofunctor  C  on  a  locally  finitely  presentable 
(resp.  accessible)  category  B,  the  forgetful  functor 
B-Coalg  — >  B  has  a  right  adjoint.  □ 

The  above  mentioned  (coalgcbraic)  notion  of  bisimula- 
tion  is  due  to  [2].  In  this  paper,  we  will  consider  it  in  the 
following  form:  a  B-hisinuilation  between  two  coalgebras 
h  :  X  — >  BX  and  k  :  Y  — a-  BY  is  a  relation  (i.c.,  equiv¬ 
alence  class  of  monos)  B.  X  x  Y  between  the  carriers 
X  and  Y  which  lifts  to  the  coalgebras  in  the  sen.se  that  the 
diagram 

- R - ^Y 

Y 

BX  ^ - BR - >•  BY 

commutes  for  some  coalgebra  structure  on  R.  For  the  be¬ 
haviour  in  (3)  B-bisimulation  is  (strong)  bisimulation. 


1 .  A  coalgebraic  bisimulation  for  a  coalgcbra  on  S. 

2.  A  symmetric  relation  R  C  S  x  S  such  that  sq  R  Sq 
implies 


•  if  So 


c?() 


/  then  there  exists  /'  such  that 


c?() 

s'q - ^  f'  and  f(v)  R  f'{v)  for  all  n  £  V; 


if  So 


c!<t4 


s  then  there  exists  s'  such  that 


s'a  s'  and  s'  R  Sn; 


if  So  s  then  there  exists  s'  such  that  s'q  s' 
and  s  R  s'.  □ 


To  appreciate  the  way  in  which  (22)  models  the  late  in¬ 
terpretation  of  input,  it  is  instructive  to  use  the  isomorphism 
Pf(S  -t-  5')  =  Pf(5)  X  Pf(5')  and  consider  the  behaviour 
in  the  following  form 

BS  ^  Pf(5'')'^'’  X  Pf(V  X  5)*^  X  Pf(S) 

from  which,  as  observed  by  Gordon  Plotkin,  one  can  read 
the  late  interpretation  off  the  first  component  of  the  product 
corresponding  to  “first  choosing  a  derivative  and  then  re¬ 
ceiving  a  value”.  To  model  the  early  interpretation  of  input, 
corrc.sponding  to  “first  receiving  a  value  and  then  choosing 
a  derivative”,  one  thus  needs  to  reverse  the  role  of  the  type 
constructors  for  non-determinism  and  inaction,  and  input. 


2.  Message  passing  bisimulations 


Early  bisimulation.  Noticing  the  following  decomposi¬ 
tion  of  the  finite  powerset  functor 


2.1.  Value  passing 


P{'^i  +  p; 


Late  bisimulation.  To  model  value-passing  CCS,  with  re¬ 
spect  to  a  set  of  values  V  and  a  finite  set  of  channels  C,  we 
consider  the  behaviour  endofunctor 

BS  =  Pf(C  X  S"^  +  C  xY  X  S  +  S)  (22) 


where  Pf  is  the  non-empty  finite  powcr.sct  functor,  a  natural 
behaviour  for  the  early  interpretation  is  then  the  endofunc¬ 
tor 

B5  =  (1  +  Pf(S’)^)^'  X  Pf(V  X  Sf'  X  Pf(5) 


98 


which  we  will  consider  below  in  the  following  uniform  form 

BS  ^  {C^P^{S)^) 

X  X  S))  (23) 

X  (i^P+(S)) 

where  :  pSet°P  x  pSet  — 5-  Set  is  the  partial- 

exponential  functor  (see  e.g.  [11]). 

In  this  setting,  a  coalgebra  h  :  S  — s-  BS  induces  the 
early  transition  relation 

s  — ^  s'  iff  s'  e  TTi{hx){c){v)  {c  &  C,v  eV,  s,  s'  €  S) 
s  — ^  s'  iff  {v,  s')  e  ■K2{hx){c)  (c  6  C,  u  e  V,  s,  s'  G  S) 

s s' if i  s' e  ■JT3{hx){)  (s,s'eS) 
that  provides  a  characterisation  of  coalgebraic  bisimulation 
in  familiar  terms  as  follows. 

Proposition  2.2  The  following  data  are  equivalent. 

1 .  A  coalgebraic  bisimulation  for  a  coalgebra  on  S. 

2.  A  symmetric  relation  R  C  S  x  S  such  that  sq  R  s'q 
implies 


•  if  So  - 

c?(v) 

So  - » 

•  if  So  - 


— ^  s  then  there  exists  s'  such  that 
s'  and  s  R  s'; 


s  then  there  exists  s'  such  that 


Sq - s  and  s  R  s  ; 

•  if  So  s  then  there  exists  s'  such  that  s'q  s' 
and  s  R  s'.  □ 

2.2.  Name  passing 

Following  [12],  we  will  consider  notions  of  behaviour 
for  the  TT-calculus  in  the  category  of  (variable  sets)  Set*, 
where  I  is  the  category  of  finite  cardinals  and  injections. 
However,  all  the  constructions  involved  are  also  meaning¬ 
ful  for  pullback-preserving  presheaves  in  Set*  and  so,  fol¬ 
lowing  [33],  we  also  obtain  notions  of  behaviour  in  the 
Schanuel  topos  (see  e.g.  [23,  pages  155  and  158]). 

Late  bisimulation.  The  constructions  needed  to  model 
late  bisimulation  [27]  as  in  [12]  are: 

•  The  type  of  names  N  €  Set*  with  identity  action 

Nn  =  n. 


•  The  power  type  Pf  :  Set* 
action  (PfP)n  =  Pf(Px). 


Set*  with  pointwise 


Products  (x)  and  coproducts  (-I-)  given  pointwise  by 
(P  X  Q)n  =  Pn  'X  Qn  and  (P  -|-  Q)n  =  Pji  +  Qn- 


•  The  exponential  P^  with  action  given  by  {P^)n  = 
(P„)"  X  P„+i  and  P{i){f,p)  =  {f',p')  where 

/•//  \  f  if  X  —  La  .  /  r  ,1 

=  otherwise  !>  =  pI*  + 

•  The  dynamic  allocation  type  5  :  Set*  — 5^  Set* 
with  action  given  by  ((5P)„  =  Pn+\  and  {5P){l)  = 
P{l  +  1). 

The  behaviour  functor  for  late  bisimulation  of  [12,  33]  is 

BP  =  Pf{N  xP’^  +  NxNxP-i-NxSP  +  P)  (24) 

on  Set*.  Hence  we  have  that 

BPn  =  Pf(  nx  (P„)"  X  P„+i 

-f  n  X  n  X  Pn  -f  nx  P„+i 
+  Pn  ) 

in  Set. 

A  coalgebra  h  :  P  — s-  BP  induces  the  late  transition 
relation 

iff  {a,f,p')  e  hn{p) 

(a  e  n,  p  e  P„,  /  €  (P„)",  p'  €  P„+i) 

p  p'  iff  (a,  6,  p')  g  hn  (p) 

{a, be  n,p,p'  e  Pn) 

p-^p'  iff  (a,p')  €  hn{p) 

{a  e  71,  p  e  Pnt  P  ^  Pn+l) 

p-^p'  iffp'  €  hn{p) 

(p,p'  e  Pn) 

that  provides  a  characterisation  of  coalgebraic  bisimulation 
in  familiar  terms  (see  [27])  as  follows. 

Proposition  2.3  The  following  data  are  equivalent. 

1 ,  A  coalgebraic  bisimulation  for  a  coalgebra  on  P. 

2.  A  family  of  symmetric  relations 

{  Rn  ^  Pn  X  Pn  }nGN 
such  that,  for  every  n  G  N, 

(a)  pRnq  implies  p\l]  Rm  q[i],  for  all  t  :  n  > — ^  m 
in  I; 

(b)  p  Rn  q  implies 

“■?() 

•  if  p  - s-  f.p  then  there  exist  g,q'  such 

«■?() 

that  q - 5^  g,  q  ,  and  /(a)  P„  g{a)  (for  all 

a  e  n)  andp'  P„+i  q'; 
a\{b) 

•  up  - ^  p  then  there  exists  q  such  that 

q - ^  q  andp'  Rn+i  q'; 
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•  if  p  — ^  p'  then  there  exists  q'  such  that 

a.!() 

q - ^q'  andp'  R.n+i  q'\ 

•  if  p  — ^  p'  then  there  exists  q'  such  that 

p'  q'  and  p'  Rn  q' .  □ 

Early  bisimulation.  The  definition  of  a  behaviour  functor 
for  early  bisimulation  (left  open  in  [12,  33])  requires  the 
introduction  of  a  new  type  constructor, 

•  For  a  mono-preserving  presheaf  P  :  I  — 5-  Set  we 
define  P^_  :  Set"  — ^  Set’  as  the  functor  mapping 
a  presheaf  Q  to  the  presheaf  P^Q  with  action  given 
by  (P  ^  Q)n  ^  Pn  ^  Qn  and 

(P^Q)(0  -  P[L)^Q{i)  :  u  ^  Q{i)  o  u  o  P{,.f 

where  P((,)^(g)  =  p  iff  P{i){p)  =  q  (see  [11]). 

This  construction  extends  that  of  products  in  that  we 
have  an  injection  P  x  Q  > — ^  P^Q  given  by: 

Pn  X  Qn  > - ^  Pn  Qn  ^25) 

p,  q  I — p^-=^q 

where  {p^^q)ix)  =  (if  .t  =  p  then  q). 

In  the  vein  of  the  treatment  of  early  bisimulation  for 
value-passing  CCS  given  in  (23),  we  consider  the  follow¬ 
ing  behaviour  functor 

BP  =  {N^P^{P)'^  ) 

X  (  N^P-^{N  X  P)  )  X  (  N^P^iSP)  )  (26) 

X  (  1^P;(P)  ) 

in  Set’,  where  the  components  of  the  product  respectively 
model  input,  free  and  bound  output,  and  silent  actions.  (The 
role  of  the  constructor  in  this  behaviour  functor  is 

analogous  to  the  one  of  the  topped  tensor  product  N  _ 
in  the  model  of  [18].) 

Note  that  because  of  the  following  isomorphisms 

Pf(P  +  Q)  s:  Pf(P)xPf(g) 

Pf{N  X  P)  ^  N^P^{P) 

Pf(P)  l^p;(P) 

the  late  behaviour  functor  (24)  can  be  written  in  the  follow¬ 
ing  form 

(  N^P^iP^)  ) 

X  (  N^p-^iN  X  P)  )  X  (  N^P^iSP)  ) 

X  (  l^PUP)  ) 

which  makes  clear  that  the  late  and  early  interpretations  of 
free  and  bound  output,  and  of  silent  actions  are  the  same. 


Considering  the  pointwisc  early  behaviour 

BPn  =  (  7)^(PfP„)"  X  PfP„+i  ) 

X  (  n-=^Pf(n  X  P„)  ) 

X  (  7J-^PfP„+l  ) 

X  (  I^PIP,  ) 


a  coalgcbra  It  :  P  — ^  BP  induces  the  early  transition 
relation 

p  p!  iff  p'  £  7ri(7ri(/i„7r)(«))(6) 

(a,h  e  n,p,p'  G  Pn) 

p-^^-^p'  iffp'  €  TT2{ni{hnp){a)) 

(a  e  n,p  G  Pn,p'  G  P„+i) 

P^-^P'  iff  {b-p')  G  TT2{h„p){a,) 

(a.b  G  n,p,p'  6  Pn) 


p  p'  iff  p'  G  Tti{hnP){a) 

(a  e  rupe  Pn,p'  G  P„+i) 


pP^p'  iffp'  G  Tr.i{h„p){) 

ip,p'  €  Pn) 

that  provides  a  characterisation  of  coalgebraic  bisimulation 
in  familiar  terms  (see  [27])  as  follows. 


Proposition  2.4  The  following  data  arc  equivalent. 

!.  A  coalgebraic  bisimulation  for  a  coalgcbra  on  P. 
2.  A  family  of  symmetric  relations 


{  Pn  Q  Pn  X  Pn  } nets’ 


such  that,  for  every  n  €  N, 

(a)  p  P„  q  implies  p[i]  P,„  f/[/],  for  all  i,  :  n  > — m 
in  I; 

(b)  p  Rn  q  implies 


•  if  p  - 9-  p  then  there  exists  q  such  that 

"'■(M  ,  .  /  r,  / 

q  - ^  q  and  p  R,,  q  \ 

•  if  p  — ^  p'  then  there  exists  q'  such  that 

q - ^q  andp  P„  +  i  q  ; 

•  if  p  — ^  p'  then  there  exists  q'  such  that 

q - 9-  q  andp  R,,  q  , 

n !  {  ) 

•  if  p  - ^  p'  then  there  exists  q'  such  that 

q - ^  q  and  p  P„  +  i  q  ; 

•  if  p  — p'  then  there  exists  q'  such  that 

q  q'  and  p'  R,,  q'.  □ 


100 


3  Semantics  of  name  passing 

To  model  the  structural  operational  rules  for  the 
TT-calculus  using  natural  transformations  of  type  (1),  we  are 
faced  with  the  fact  that  the  signature  S  is  an  endofunctor 
on  Set®^  (see  (16))  while  the  behaviour  B  (for  both  the 
late  (24)  and  the  and  the  early  (26)  interpretations)  is  an 
endofunctor  on  Set".  Far  from  being  a  problem,  this  dis¬ 
parity  allows  for  the  desired  compositionality  result  to  hold. 
Indeed,  both  late  and  early  bisimulations  are  not  congru¬ 
ences.  What  we  need  are  thus  behaviour  functors  for  late 
and  early  congruences  instead.  These  behaviours  can  be  ob¬ 
tained  by  (right)  extending  the  B’s  on  Set"  along  an  adjunc¬ 
tion  Set"^  T  ,  Set"  obtaining  new  endofunctors  B’s  on 
Set"^.  Moreover,  a  natural  transformation  of  type 

T:{XxBX)^  BTX  (27) 

in  Set*"^  will  be  suitable  to  model  the  desired  structural  op¬ 
erational  rules  for  the  rr-calculus. 

Late  and  early  congruences.  The  adjunction  we  need  be¬ 
tween  Set"'  and  Set"  is  an  instance  of  the  adjunction  in  (21) 
taking  C  =  Set"  and  C  -  N: 

(w,_> 

Set"'  Set"  (28) 

-•N 

Alternatively,  one  can  describe  this  adjunction  as  the  essen¬ 
tial  geometric  morphism  (see,  e.g.,  [23,  page  360])  associ¬ 
ated  to  the  inclusion  I  — ^  F.  Thus,  we  have  a  canonical 
natural  isomorphism 

(29) 

(essentially  given  by  the  action  x  m”  — ^  Xm  of  X) 
where  |_|  :  Set"'  — ^  Set"  is  the.  forgetful  functor  given  by 
precomposing  with  the  inclusion  I  — ^  F. 

We  can  now  define,  for  every  endofunctor  B  on  Set",  an 
endofunctor 

BX  =  {N,B\X\) 

i.e.,  the  right  Kan  extension  of  {N,B_)  along  {N,_). 
Usings  the  isomorphism  (29)  and  the  adjunction  (28), 
the  B-coalgebras  are  in  bijective  correspondence  with 
B-coalgebras  |A |  — a-  B\X\.  In  other  words,  S-coalgebras 
are  B-coalgebras  on  presheaves  with  an  action  along  all  re¬ 
namings  (rather  than  only  on  injective  ones).  This  makes  a 
crucial  difference  in  terms  of  coalgebraic  bisimulation. 

Proposition  3.1  For  B  as  in  (24)  [resp.  (26)],  the  following 
data  are  equivalent. 

1.  A  coalgebraic  B-bisimulation  for  a  coalgebra 

X^BX. 


2.  A  family  of  symmetric  relations  C  X„  x 

as  in  Proposition  2.3  (2)  [resp.  Proposition  2.4  (2)] 
(with  respect  to  the  transposed  B-coalgebra 
l-AI  — ^  ^1^1)  where  the  closure  condition  (a) 
is  generalised  to 

pRnq  implies  p[p]  q[p],  for  all  p  :  n  m 
in  F.  □ 

Proposition  3.2  1.  The  functors  :  Set"  — ^  Set" 

and  ;  Set"  — a-  Set"  (n  €  N)  are  Unitary. 

2.  For  B  as  in  (24)  and  (26),  the  lifted  functors  B  are 
finitary  (hence  the  forgetful  functor  B-Coalg  Set"' 

has  a  right  adjoint)  and  preserve  weak  pullbacks. 

□ 

Therefore,  every  natural  transformation  of  type  (27),  with  B 
the  late  (early)  behaviour  functor,  induces  a  compositional 
semantics  fully  abstract  with  respect  to  late  (early)  congru¬ 
ence. 

Categorical  rules.  We  sketch  how  the  rr-calculus  opera¬ 
tional  rules  [27]  are  modelled  by  a  natural  transformation 
of  type  (27).  For  brevity,  we  only  consider  the  operational 
rules  of  the  binding  operators  (input  and  restriction);  the 
operational  rules  for  the  other  operators  are  modelled  along 
the  lines  of  [34]  using  the  isomorphisms 

{C,Di)  X  {C,D2)  ^  {C,Di  X  D2) 
6{C,D)^(C,D^) 

satisfied  by  the  functors  in  (13)  with  C  cartesian  closed,  and 
the  map 

V  X  X  ^{N,N^\X\)  (30) 

obtained  by  transposing  jV  x  Xl  =  T/x  1X1  >— ^  |X|, 

where  the  injection  is  given  by  (25). 

Input.  For  input,  the  rule  is  modelled  by  a  map  of  type 

V  x5{Xx  BX)  — ^  (X,  B\TX\) 

Using  (30)  and  projecting  out  the  components  that  do  not 
contribute  to  the  rule  we  can  focus  on  defining  a  map  of 
type 

<5X^(iV,|X|^)^d-(X,|X|) 

The  required  map  is  5  applied  to  the  unit  X  > — ^  (X,  |X|) 
of  the  adjunction  (28);  that  is, 

X„+i  Set"(iV”+MX|) 

x  ^  {Xp£rrf^+\x[p]}m^i 

Note  that  this  map  can  be  used  both  for  the  late  and 
early  cases  by  precomposing  it  with  suitable  maps  respec¬ 
tively  arising  from  the  injections  |X|^> — ^  Pf  (|X|^)  and 

ixr>— (P][ixi)"^. 
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Restriction.  For  restriction,  the  rule  is  modelled  by  a  map  of 
type  6{X  X  BX)  {N,  B\TX\)  in  Set’’"  which,  in  fact, 
comes  from  a  map  of  type 

5B\X\-^  B\TX\  in  Set" 

For  instance,  the  core  of  this  latter  map  corresponding  to  the 
following  two  rules 

(j  b  otr 

P  -V  O  P  — 0 

(Res) - a,b  (Open) - x  ^  a 

{x)P-^{x)Q  (x)P  Q 

is  the  map 

5Nx5Nx  5\X\  ^  Pf{N  x  Nx  \TX\  +  Nx  (5|rX|) 

defined,  using  the  internal  language  (sec  [12]),  as  follows: 

RO{a,b,q) 

=  case  a  of 

old(a')  =>  \etq'  =  Sriq 
in  case  6  of 

old(//)  {{a'.b\i^q')} 

new  ^ 

new  =>  0 

where  rj  :  \X\  ^  \TX\  and  i/  :  6\rX\  \TX\  (in 
Set”)  arc  respectively  the  (underlying  maps  of  the)  unit  and 
the  restriction  operator  (in  Set”')  of  the  free  E-algebra  TX 
onX. 

4.  Semantics  of  value  passing 

Actions.  We  have  seen  in  §  1 . 1  that  the  homogeneous  sub¬ 
stitution  of  expressions  for  variables  in  expressions  can  be 
modelled  as  monoids.  For  the  heterogeneous  substitution 
of  expressions  for  variables  in  terms  we  can  use  monoid  ac¬ 
tions  as  follows.  Every  monoid  M  —  {M.fi.u)  in  Sef 
defines  a  monad  _•  M  on  Sef^.  The  category  of  al¬ 
gebras  of  this  monad  Al-Act,  consists  of  (right)  actions 
A»M  — >•  A  [22,  'VII.4].  In  elementary  terms,  this  amounts 
to  a  family  {  oni  :  Aji  x  ^  Ajyi  }n.77jCN  of  oper¬ 

ations  such  that 

a„,  (a;  ;>i , . . . ,  )  =  a 

cvr(o,„  (a;  w);  F)  =  a({a- iie{uu  v), . . . ,  v)) 

for  all  a  in  A„,  u  in  ()!/,„)",  and  v  in  (i\/r)'".  (Note  the 
occurrence  of  /;  in  the  second  law.) 

For  examples  of  actions  consider  the  following. 

A  V-action  A»V  — s-  A  is  forced,  by  the  unit  law,  to  be 
the  canonical  isomorphism  A  •  V  =  A.  Thus,  the  category 


V-Act  is  isomorphic  to  Set”^;  which  explains  why,  for  name 
passing,  we  can  do  without  extra  substitution  structure. 

For  objects  C  and  Z)  in  a  cartesian  category  C,  the 
monoid  (C.C)  has  a  canonical  action  on  the  prcshcaf 
{C.  D)  given  by  (pairing  and)  composition  in  C. 

As  in  any  bicomplctc  monoidal  closed  category 
(cf.  [23,  VII. 3]),  a  monoid  homomorphism  A/'  — A/  in¬ 
duces  a  reindexing  functor  M -Act  — ^  A/'-Act  with  both 
left  and  right  adjoints.  Thus,  the  semantics  of  expressions 
E  — >•  (Z,Z)  and  the  unique  homomorphism  V  — M 
induce  the  following  adjoint  situations 

^ _  (Afi-) 

(Z.Z)-Act  — ^  E-Act,  A/- Act  Set”" 

^  _»A/ 

where,  on  the  right  hand  side,  X  •  A/  has  action  given  by 
multiplication  and  (A/,  X)  has  action  given  by  multiplica¬ 
tion  and  evaluation. 

Syntax.  The  substitution  of  expressions  in  terms  involves, 
in  turn,  a  substitution  of  expressions  in  expressions.  Thus, 
the  signature  bifunctor  for  value-passing  CCS  needs  to  be 
parametric  in  a  monoid  of  messages.  Accordingly,  we  let 
E  be  the  bifunctor  Mon(Set”^)  x  Set”^  — Set”^  given 
by  (17). 

For  a  monoid  A/,  we  write  Ea/  for  the  functor 
E(A/,_)  :  Set”"  — ^  Set”".  One  can  lift  Ea/  to  the  category 
M-Act  of  A/-actions  by  means  of  a  distributive  law 

A  :  Ea/(_)  •  M  =»  Ea/(_  •  A/) 

of  the  cndofunctor  Ea/  over  the  monad  induced  by  the 
monadic  adjunction  A/-Act  ,  t  Set”".  This  distributive 
law  is  essentially  the  strength  described  in  [13,  page  200], 
with  the  extra  use  of  the  multiplication  of  the  monoid  M  in 
the  fourth  and  fifth  summand  of  Ea/.  The  resulting  cndo¬ 
functor 

Ea/(A.A/-AVA) 

=  (  Ea/(A)  .  M  Ea/(A  .  M)  EA  ) 

on  A/-Act  has  as  algebras  prcshcavcs  A  with  both  a 
E-algcbra  structure  and  an  A/-action  compatible  with  each 
other  in  the  sense  that  the  evident  diagram 

Ea/(A)  .  A/ - ^  Ea/(A  .  M) - ^  Ea/(A) 


A  •  a; - ^  A 

commutes.  We  denote  the  corresponding  category  of 
EA/-algcbras  by  EA/-Alg.  The  associated  forgetful  func¬ 
tor  EA/-Alg  — ^  A/-Act  has  a  left  adjoint;  and  the  induced 
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monad  is  denoted  by  Tm,  as  it  is  a  lifting  of  the  monad  Tm 
induced  by  Em  . 

Moreover,  every  monoid  homomorphism  M'  — 5-  M  in¬ 
duces  a  reindexing  functor  E m  - Alg  — ^  Em'  -  Alg,  which  is 
a  lifting  of  the  reindexing  functor  M-Act  — s-  M'-Act.  In 
particular,  the  reindexing  functor  E(z  z)-Alg  — ^  E^-Alg 
induced  by  the  semantics  of  expressions  E  — s-  (Z,Z}  al¬ 
lows  us  to  turn  every  interpretation  for  z)(0)  into  one 
forTB(O). 

Semantics.  Let  M  be  a  monoid  of  messages  in  a 
typical  example  being  the  clone  of  operations  (V,  V)  on  a 
set  of  values  V. 

We  have  the  following  situation  (cf.  (5)) 

^  4^  O 

M-Act  Set'^  T  -  Set 

U  u 

where  the  adjunction  on  the  right  can  be  alternatively  de¬ 
scribed  as  the  essential  geometric  morphism  associated  to 
the  functor  (0)  ;  1  — F;  hence 

X  >0^X0 

for  all  X  G  Set'^. 

To  have  both  syntax  and  behaviour  on  the  same  category, 
we  will  proceed  as  in  the  previous  section  and  (right)  extend 
behaviour  functors  B  on  Set  along  the  composite  adjunc¬ 
tion  M-Act  T  ^  Set  to  B  on  M-Act.  To  do  this  easily, 
we  need  a  lemma. 

Lemma  4.1  For  C  cartesian  and  cocomplete,  the  cornpos- 

{M.-}  (C._) 

ite  adjunction  M-Act  T  ,  Set®^  t  ,  C  is  given  by 

l-l"' 

|_|  •  C  :  M-Act  ""  T  ,  C  :  {M  •  C,_).  □ 

It  follows  that  the  extension  of  a  behaviour  functor  B  on 
Set  is  along  the  adjunction 

|_|o  :  Af-Act  Set  :  (A/o,_)  (31) 

where  Mq  is  the  set  of  ground  messages,  yielding  B  on 
M-Act  to  be  given  by 

BA  =  {Mo,B{Ao)) 

Late  and  early  congruences.  As  operational  models  for 
value  passing  we  take  B-coalgebras 


in  M-Act  where  B  is  either  of  the  two  endofunctors  on  Set 
of  (22)  and  (23).  The  adjunction  (31)  allows  us  to  express 
these  operational  models  in  terms  of  coalgebras  on  Set.  In¬ 
deed,  they  are  in  bijective  correspondence  with  functions 

Ao^B{Ao) 

where  A  carries  an  M-action.  Moreover,  B-coalgebra  ho- 
momorphisms  are  action  homomorphisms  which  at  stage  0 
are  also  B-coalgebra  homomorphisms: 

A.M - Ao - ^B(Ao) 

A'.M - ^A'  A'o - ^B{A'o) 

Proposition  4.2  For  B  as  in  (22)  [resp.  (23)],  the  following 
data  are  equivalent. 

1.  A  coajgebraic  B-bisimulation  for  a  coalgebra 
A-^BA. 

2.  A  family  of  symmetric  relations  {i?„  C  A„  x  A„}„gN 
such  that 

(a)  Ro  is  as  in  Proposition  2.1  (2)  [resp.  Propo¬ 
sition  2.2  (2)]  (with  respect  to  the  transposed 
S-coalgebra  Ao  — ^  jB(Ao)). 

(b)  For  every  n  eN,  s  R„  s'  implies 

am{s;v)  Rm  0im{s'-,v),  for  all  Fin  {MmT.  □ 

Proposition  4.3  1 .  The  category  of  actions  M-Act  is  lo¬ 

cally  finitely  presentable. 

2.  For  B  as  in  (22)  and  (23),  the  extended  func¬ 
tors  B  are  accessible  (hence  the  forgetful  functor 
B-Coalg  — >•  M-Act  has  a  right  adjoint)  and  preserve 
weak  pullbacks.  □ 

Categorical  rules.  Natural  transformations  in  M-Act  of 
type  _  _ 

E(A  X  BA)  BTA  (32) 

with  B  the  late  (early)  behaviour  functor  with  set  of  val¬ 
ues  V  =  A'/o,  are  suitable  to  model  structural  operational 
rules  for  languages  with  value  passing  and  give  a  categori¬ 
cal  format  inducing  fully-abstract  compositional  semantics 
with  respect  to  late  (early)  congruence. 

Input.  The  most  interesting  rule  to  model  is  the  axiom  for 
input.  As  for  the  rr-calculus,  the  core  of  this  rule  (both  for 
the  late  and  early  behaviour)  lies  in  the  map 

5A-^(V,Ao^)^5(V,Ao) 

obtained  by  applying  5  to  the  unit  of  the  adjunction  (31), 
namely: 

A„+i  ^  Set(V"+i,Ao) 
a  I — 5-  AFg  V"+^.Qo(a;F) 


A  — (A/o,B(Ao)) 
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Abstract 

A  fully  abstract  game  semantics  for  an  extension  of 
Idealized  Algol  with  locally  declared  exceptions  is  pre¬ 
sented.  It  is  based  on  “Hyland-Ong  games”,  but  as  well 
as  relaxing  the  constraints  which  impose  functional  be¬ 
haviour  ( as  in  games  models  of  other  computational  ef¬ 
fects  such  as  continuations  and  references ),  new  struc¬ 
ture  is  added  to  plays  in  the  form  of  additional  pointers 
which  track  the  flow  of  control.  The  semantics  is  proved 
to  be  fully  abstract  by  a  factorization  of  strategies  into 
a  ‘new- exception  generator’  and  a  strategy  with  local 
control  flow.  It  is  shown,  using  examples,  that  there  is 
no  model  of  exceptions  which  is  a  conservative  exten¬ 
sion  of  the  semantics  of  Idealized  Algol  without  the  new 
pointers. 


1  Introduction 

All  practical  programming  languages  provide  some 
means  of  manipulating  the  flow  of  control,  primarily 
to  recover  from  errors  and  deal  with  other  exceptional 
eventualities.  Dynamically  bound,  locally  declared  ex¬ 
ceptions  are  a  simple,  elegant  and  effective  way  to  do 
this,  making  them  a  key  part  of  ML  and  Java,  for 
example.  Despite  their  ease  of  use  for  programmers, 
however,  these  exceptions  are  not  ‘easy’  from  a  seman¬ 
tic  point  of  view;  no  denotational  model  of  a  language 
containing  them  has  hitherto  been  described.  Stati¬ 
cally  bound  exceptions  can  be  implemented  using  call- 
with-current-continuation,  but  fail  to  account  for  one 
of  the  most  important  features  of  exceptions  —  that 
the  same  error  may  be  handled  in  different  ways  if  it 
occurs  in  different  contexts  On  the  other  hand,  dy¬ 
namically  bound  global  exceptions  have  been  modelled 
abstractly  via  the  exceptions  monad  [13],  but  this  ap¬ 
proach  has  not  been  applied  to  locally  exceptions.  It 
may  be  argued  that  local  exceptions  have  proved  re¬ 
sistant  to  the  efforts  of  semanticists  in  part  because 
they  are  a  kind  of  hybrid  effect.  Their  main  purpose 


is  to  give  access  to  the  flow  of  control,  but  dynamic 
binding  distinguishes  them  from  statically  bound  con¬ 
trol  constructs  such  as  call/cc,  whilst  locality  gives 
rise  to  some  of  the  identity-related  issues  which  appear 
with  reference  variables.  But  since  continuations  and 
store  have  traditionally  been  modelled  by  (very  differ¬ 
ent)  constructions,  simply  piling  them  on  top  of  a  func¬ 
tional  basis  is  likely  to  lead  to  a  complicated  semantics 
which  is  not  fully  abstract. 

The  basis  for  a  possible  solution  to  these  problems 
can  be  found  in  the  ‘intensional  hierarchy’  [4]  of  games 
models  of  various  effects  such  as  state  [1,  3],  first-class 
continuations  [11]  and  higher  type  references  [5].  These 
all  extend  the  basic  model  of  PCF  described  by  Hyland 
and  Ong  [9],  and  Nickau  [14],  by  relaxing,  one-by-one, 
the  constraints  on  games  and  strategies  which  oblige 
them  to  behave  in  a  purely  functional  way.  This  ‘direct’ 
approach  to  modelling  side-effects  means  that  they  can 
often  be  combined  simply  (and  fully  abstractly)  by  re¬ 
laxing  the  relevant  combination  of  constraints. 

However,  even  in  the  context  of  game  semantics,  the 
dynamic  nature  of  exceptions  has  significant  ramifica¬ 
tions.  Rather  than  simply  weakening  the  appropriate 
constraints  on  the  model  of  PCF,  it  proves  necessary 
to  to  add  significant  new  structure  —  in  the  form  of 
additional  ‘contingency  pointers’  —  to  the  traces  which 
represent  the  states  of  a  game,  in  order  to  describe  the 
dynamic  binding  of  exceptions.  These  pointers  give  an 
explicit  representation  of  control  flow  in  the  model,  al¬ 
lowing  a  move  to  be  played  as  if  it  immediately  follows 
an  earlier  move  which  is  not  actually  its  immediate 
predecessor. 

The  main  contribution  of  this  paper  is  therefore  to 
define  a  new  category  of  games  by  adding  contingency 
pointers  to  HO-style  games,  to  show  that  this  cate¬ 
gory  contains  a  model  of  locally  declared,  dynamically 
bound  exceptions,  and  by  a  full  abstraction  result 
—  to  show  precisely  how  these  combine  locality  with 
manipulation  of  control-flow.  Using  this  analysis,  it 
will  show  that  the  contingency  structure  really  is  neces¬ 
sary  to  interpret  exceptions  in  HO  games.  Because  the 
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games  models  of  references  and  continuations  do  not 
have  this  structure,  this  suggests  that  exceptions  can¬ 
not  be  expressed  using  continuations  and  references. 
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2  Idealized  Exceptions 

The  language  which  will  be  modelled  —  Idealized 
Algol  [16]  with  (idealized)  exceptions,  or  lAx  for  short 
—  is  a  typed  call-by-name  A-calculus  with  locally 
declared  ground-type  references  and  a  pared  down 
call-by-name  version  of  the  simple  exceptions  (based 
on  ML  exceptions)  described  by  Gunther  Remy  and 
Riecke  [7].  I  Ax  types  are  generated  from  the  base 
types  0  (empty),  comm  (commands),  nat  (natural 
numbers),  var  (natural  number  references)  and  exn 
(exceptions). 

T  ::=  0  I  comm  |  nat  |  var  |  exn  |  T  T. 

Terms  are  formed  according  to  the  grammar: 

M  ::=  X  I  skip  |  0  |  succ  M  \  pred  M  \  IFO  M  \ 
Xx.M  I  MM  I  YM  \M;M  \ 

new.exn  A/  |  mkexn  A/  M  \  raise  M  \  handle  il/  M  \ 
new  A/  I  mkvar  A/  M  \  M  :=  M  |  !A/. 

Typing  judgements  extend  those  for  LA.  as  follows 
(13  =  0  I  comm  |  nat): 

rhA/:exn=»i3  rhA/:0=>comm  ri-A':0 

ri-new_exn  A/:13  Thmkexn  A/ ALexn 

ri-Af  :exn  ri-A/:exn  LhALO 

Thraise  M :B  Thhandle  M  A'^:comm 

The  “big  step”  operational  semantics  for  the  impera¬ 
tive  fragment  of  lAx  is  given  in  Table  1.  Evaluation 
takes  place  in  an  environment  consisting  of  a  set  of  ex¬ 
ception  names  S,  a  set  of  variable  names  or  locations  C, 
and  a  store  S  —  a  partial  mapping  from  C  to  natural 
numbers.  By  convention,  mention  of  the  environment 
is  omitted  where  possible.  The  new.exn  and  new  con¬ 
stants  evaluate  in  the  same  way;  each  generates  a  now 
name  which  is  added  to  the  environment,  and  supplied 
to  its  argument.  Similarly,  the  mkvar  construct  for  gen¬ 
erating  “bad  variables”  [15,  1]  has  a  precise  analogue  in 
the  mkexn  operation  for  constructing  “bad  exceptions"; 
terms  of  exception  type  which  may  not  have  the  correct 
raising  and  handling  behaviour. 

Programs  are  evaluated  to  a  final  form  D,  which 
is  either  a  value  V  or  an  exception  E  =  raise /i  for 
some  name  h;  the  latter  are  propagated  through  the 
program  until  they  are  caught.  The  handler  is  simply 


an  operation  for  capturing  a  named  exception.  Because 
there  arc  no  values  of  type  0,  N  :  0  can  only  evaluate 
to  an  exception  raise  A:,  so  handle  h  A  compares  the 
names  h  and  k  and  evaluates  to  skip  if  they  are  equal 
and  propagates  the  exception  raise  fc  if  they  are  not. 
Unlike  ML  exceptions,  in  which  the  use  of  a  universal 
type  of  exceptions  results  in  recursive  behaviour,  the 
much  more  restrictive  typing  of  I  Ax  prevents  this. 

Proposition  2.1  For  any  program  M  of  lAx  —  {Y}, 
there  is  some  D  such  that  M  if  D. 

A  standard  notion  of  observational  equivalence  can  be 
defined. 

Definition  2.2  Terms  M,N  :  T  are  obscrvationally 
equivalent  (viritten  M  ~  N)  if  for  any  closing  context 
C[-]  :  coirnn,  C[A/]  Jj.  skip  if  and  only  if  (^[A]  JJ-  skip. 

Idealized  exceptions  fit  well  with  the  block  structure  of 
Idealized  Algol  and,  despite  their  apparent  simplicity, 
arc  quite  expressive.  For  instance,  although  exceptions 
in  .Java  (and  to  a  lesser  extent  ML)  are  more  sophis¬ 
ticated  in  that  one  handler  can  be  used  to  trap  differ¬ 
ent  exceptions  using  subtyping,  the  basic  behaviour  of 
Java’s  try  and  catch  operations  can  be  captured  by 
defining  (for  M,N  :  comm,  H  :  exn): 
try  A/  catch  H  N  =4j  new.exn  Xk. 
handle  k  ((handle  H  (A/ ;  raise  k))\  N;  raise  k). 

This  executes  the  command  A/;  if  this  is  completed 
then  the  catch  block  is  discarded,  but  if  the  exception 
H  is  raised  whilst  running  M,  then  it  is  caught  and  the 
command  N  is  executed. 

Exceptions  in  ML  can  carry  values;  this  “storage” 
aspect  of  exceptions  has  not  been  inclnded  in  LAx  be¬ 
cause  it  seems  peripheral  to  the  more  significant  fea¬ 
tures  of  exceptions  (control-flow  manipulation  and  lo¬ 
cal  declaration)  and  can  be  simulated  very  easily  using 
explicit  store;  for  example,  in  lAx  exceptions  carry¬ 
ing  natural  numbers  as  values  can  be  represented  using 
(var  =>  (exn  =>  comm))  =>  comm  as  the  type  of  natural- 
number-carrying  exceptions  as  follows: 
new.exn  M  =fif  new.exn  A.r.new  Xy.{M  Xg.{g  y)  m) 
raise  A/ A''  :  B  =df  {M  [Xxy.y  :=  A'’;  raise  .t)); 
handle  A/  N  =(ij 

new  Ac. (A/  A.7:(/.(handle  ?/ A);  2  :  =  \x);\z. 

3  Control  Games 

The  games  constructions  which  will  be  used  to 
model  LAx  are  based  on  those  given  by  Hyland  and 
Ong  [9]  and  Nickau  [14],  in  which  states  of  the  game 
are  represented  as  justified  sequences  of  moves.  Sev¬ 
eral  developments  of  this  basic  framework  will  be  used 
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M-lle 

raise  M-IJ-raise  e 


vw 


M  h,CU{x]ii.D  L-D-n  M-i).mkvar  iVi  Nini}.D  MJJ-mkvar  A^i  A^2  Niij-D 

newM,Cii-D  M:=Lii.D  \Mi}.D 


MW  Nij-D 
M-,Ni}.D 

Mh,£uihUD  , 

new_exn  JJ.£)  ^  ^ 

raise  Mi}.E 

NW 

M:=Ni}.E 

Mij-h  A^ll-raisee 
handle  M  7V4J.raisee  ^  ' 


NMnS  M,S%x,S" 
M  :=N,Si^skip,S"  [xi->n] 

M-lj-mkexn  Ni  N2  Ni  L^D 
handle  M  Li}.D 

MW 

handle  M  NW 
MW  Nij-n 

M:=.NW 


MMx,S'  S'ix)=n 

\MMn,S' 

M-U-mkexn  A^i  A^2  A^2-lj-P 

raise  Mij-D 

MW 

M-,NW 

MW 

\MW 

MW  iV-lj-raise  h 
handle  M  A^JJ-skip 


Table  1.  Operational  semantics  of  exceptions  and  store 


here  —  in  particular  the  relaxation  of  constraints  to 
define  a  model  of  Idealized  Algol  [1,  5].  However,  it 
has  also  been  necessary  to  enrich  more  significantly 
the  structure  on  which  the  games  are  based  —  justified 
sequences  —  by  adding  a  new  notion  of  ‘contingency 
pointer’  to  track  the  flow  of  control.  Fortunately,  this 
fits  in  relatively  smoothly  with  the  original  construc¬ 
tions  and  developments  aforementioned. 

The  structure  of  a  game  (the  moves,  their  labels, 
how  they  are  related)  is  specified  by  its  arena,  defined 
essentially  as  in  [9].  An  arena  A  is  a  triple: 

(M^,hyiC  {Ma)*  X  Ma,\a  ■  Ma  — >  {(5,A}),  where 
Ma  is  a  set  of  tokens  called  moves, 

{Ma)*  X  Ma  is  a  relation  called  enabling. 
which  allows  a  unique  polarity  for  moves  to  be  inferred 
by  the  following  rule  —  m  is  an  0-move  if  it  is  initial 
(i.e.  *  h  m),  or  enabled  by  a  P-move, 
m  is  a  P-move  if  it  is  enabled  by  an  0-move, 

Xa  '■  Ma  {Q,  A}  is  a  function  which  labels  moves  as 
answers  (A)  or  questions  (Q),  such  that  every  answer 
has  a  unique  enabling  move  which  is  a  question. 

A  justified  sequence  over  an  arena  A  is  a  sequence 
of  elements  of  Ma  in  which  each  occurrence  of  a  non¬ 
initial  move  comes  with  a  justification  pointer  to  a  pre¬ 
ceding  occurrence  of  an  enabling  move.  The  transitive 
closure  of  justification  is  referred  to  as  hereditary  justi¬ 
fication.  A  sequence  is  alternating  if  Opponent  moves 
are  always  followed  by  Player  moves,  and  vice  versa. 

In  order  to  capture  the  control  behaviour  of  excep¬ 
tions  in  a  compositional  way,  additional  pointers  of  a 
very  similar  kind  will  be  added  to  justified  sequences. 


(The  key  difference  is  that  there  is  no  structure  con¬ 
straining  these  pointers  analogous  to  the  enabling  re¬ 
lation.) 

Definition  3.1  A  contingency  pointer  for  a  move  in  a 
justified  sequence  is  a  pointer  ( distinct  from  its  justifi¬ 
cation  pointer)  to  a  preceding  question.  A  move  is  con¬ 
tingent  if  it  has  such  a  pointer.  A  control  sequence  is  a 
justified  sequence  in  which  contingency  pointers  satisfy 
the  same  conditions  as  justification  pointers:  i.e. 

•  every  Player  move  is  contingent  on  some  Oppo¬ 
nent  move, 

•  every  contingent  Opponent  move  is  contingent  on 
a  Player  move, 

•  every  answer  move  is  contingent  on  its  enabling 
question. 

The  set  of  alternating  control  sequences  over  the  arena 
A  will  be  written  Ca-  If  a,  can  be  reached  by  follow¬ 
ing  contingency  pointers  back  from  c,  then  c  is  said  to 
be  hereditarily  contingent  on  o.  To  avoid  ambiguity 
caused  by  multiple  occurrences  of  the  same  move,  we 
shall  sometimes  say  that  in  the  sequence  tb,  b  is  con¬ 
tingent  on  the  prefix  sa  C  tb  instead  of  saying  that  b  is 
contingent  on  a. 

3.1  A  Category 

A  category  of  arenas  and  strategies  can  now  be  de¬ 
fined  using  the  standard  constructions  [9,  12]. 
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Product  For  any  set-indexed  family  of  arenas 
{Ai  1  i  G  /},  form  the  product  .4  =  Ilig/d,  as 
follows: 

•  (m,z)  hoig,/!,-  {n,j)  if  i  =  j  and  m  F.4.  n, 
and  *  l-n.6,yi.  {n,j)  if  +  n, 

•  =  A.4,(m). 

For  finite  k,  the  product  of  k  copies  of  the  arena 
A  will  be  written  A'^. 

Function  Space  For  arenas  Ai ,  A2 

•  Mai^a-2  =  AIai  +  Ma2-. 

•  (m,i)  \-A=i’B  {n,j)  if  i  =  j  and  ni  h  n 

or  m  G  Mb,  n  G  Ma,  *  \-b  m  and  *  rs  n, 

*  h  (m,  i)  if  m  (E  Mb  and  +  hg  m, 

•  =  A4^j3(m). 

The  arena  with  a  single  question  move  is  written  o. 

Definition  3.2  A  (deterministic)  strategy  over  an 
arena  A  is  a  non-empty  even-prefix-closed  set  of  even 
length  alternating  justified  sequences  which  is  evenly 
branching:  sa,sbGcr  6  =  c. 

A  control-strategy  on  A  is  a  strategy  consisting  of 
control-sequences  (i.e.  a  subset  of  Ca)- 

The  control-strategies  will  be  referred  to  simply  as 
strategics  where  the  context  is  clear. 

Composition  of  control-strategics  is  a  straightfor¬ 
ward  extension  of  ‘parallel  composition  with  hiding’ 
[6]  to  control  sequences. 

If  s  G  Ca,=>[A2^Az)  then  s['(.4i,  .4j)  is  a  sequence  with 
contingency  pointers  (not  necessarily  a  true  control  se¬ 
quence)  defined  as  follows: 
e\{Ai,Aj)  =  e, 

sa\{Ai,Aj)  =  s\{Ai,Aj)  if  a  ^  Ai,Aj, 

sa\{Ai,Aj)  =  if  a  e  Ai,Aj, 

where  a  is  justified  by  the  most  recently  played  move 

from  Ai  or  Aj  which  hereditarily  justifies  a  in  s  (if  any) 

and  a  is  contingent  on  the  most  recent  move  from  .4, 

or  Aj  on  which  it  is  hereditarily  contingent. 

Definition  3.3  For  a  :  Ai  .42, r  :  .42  ->  .43 
U",  7"  ^  I  G  J  ^  42)=>U:,  )  ■ 

t\{Ai ,  A2)  G  a  A  t\{A2,  Afi)  G  T  A  ff.4i ,  .43  =  ,s}. 

As  usual,  canonical  morphisms  are  copycat  strategies 
which  just  copy  Opponent  moves  between  different 
parts  of  a  game.  However,  contingency  pointers  (unlike 
justification  pointers)  are  not  copied;  to  define  copycat 
control-strategies  requires  the  notion  of  pending  ques¬ 
tion. 


Definition  3.4  Define  the  “pending  qv,estion  prefix” 
of  a  justified  scqjience  as  folloivs: 
pending(e)  =  £, 

pending(,sfi)  =  sa.  if  a  is  a  question, 
pending(sof6)  =  pending(.s),  if  b  is  an  answer  to  a. 

Definition  3.5  For  any  arena  A,  define  the  identity 
control-strategy  id,4  :  A  ^  A  to  be  the  least  .subset  of 
Ca=s.A  containing  e  and  closed  under  the  condition: 

If  s  G  id,,  and  .snfcf.4+  =  .sj.d  and  b  is  contingent  on 
(the  last  move  in)  pending(,so)  then  snb  G  id/,. 

So,  for  example,  in  the  play  of  ido=^o  represented  in 
Figure  1,  the  last  move  is  contingent  on  its  immedi¬ 
ate  predecessor,  but  justified  by  the  initial  move.  As 

(o  =>  o)  (o  o) 


Figure  1.  A  play  of  id„=>o  (with  contingency 
pointers) 


for  general  strategies  [12],  arenas  and  control-strategies 
form  a  SMCC  which  can  be  refined  to  a  CCC  of  well- 
opened  strategies. 

Definition  3.6  The.  thread  of  the  la.st  move  in  a  non¬ 
empty  control  sequence  is  defined  as  follows: 
thread(.s'o)  =  n,  (a  initial) 

thread(.su/f>)  =  thread(.sr()?;.  (a.  is  the  la.st  move,  in  sat 
justified  by  the  same,  initial  move,  as  b). 
b  is  contingent  on  the.  most  recent  move  in  thread(.sft) 
on  which  it  is  hereditarily  contingent  in  sntb. 

A  .strategy  a  is  well-opened  if  every  control  sequence  in 
a  contains  at  most  one  initial  move. 

If  T  :  A  is  a  ujcll- opened  strategy,  then  :  A  is  the 
least  .subset  of  Ca  conta,in,ing  e  and  closed  under  the 
condition: 

if  s  G  t1,  and  thread(.so7))  G  r,  then  sab  G  tF 

The  well-opened  idc'utity  is  the  restriction  of  id,,  to 
well-opened  sequences. 

Thus  we  have  two  cartesian  closed  categories  of 
games,  both  of  which  have  arenas  as  objects  and  well- 
opened  strategies  over  the  function-space  A  =>  B  as 
morphisms  from  .4  to  B,  with  composition  defined 

a  ■  T  = 
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0,1,  x,=>  —  the  category  of  games,  which  has  (gen¬ 
eral)  strategies  as  morphisms  —  and  C0, 1,  x ,  —  the 

category  of  control  games  which  has  control-strategies 
as  morphisms. 

Apart  from  exception-declaration  and  handling,  the 
semantics  of  lAx  is  given  by  an  embedding  which  takes 
the  semantics  of  I A  in  Q  [1]  to  CQ.  To  define  this 
embedding  requires  the  notion  of  well-bracketing. 

Definition  3.7  A  strategy  a  in  Q  is  well-bracketed  if 
every  answer  played  by  a  is  justified  by  the  pending 
question.  A  control-strategy  a  in  CQ  is  well-bracketed 
if  every  move  made  by  a  is  contingent  on  the  pend¬ 
ing  question:  i.e.  if  sa  €  cr,  then  b  is  contingent  on 
pending(sa). 

The  well-bracketed  strategies  form  cartesian  closed 
subcategories  of  Q  and  CQ,  which  will  be  written  Qwb 
and  CQwb-  All  of  the  strategies  required  to  interpret 
I A  [1]  are  well-bracketed. 

Definition  3.8  For  any  control  sequence  s,  let  |s|  be 
the  underlying  justified  sequence  obtained  by  forgetting 
the  contingency  pointers. 

For  a  control-strategy  a,  let  \a\  =  {|s|  ;  s  €  cr}.  Say 
that  a  is  control-blind  if  \cr\  is  a  deterministic  strategy. 

Proposition  3.9  There  is  an  embedding  of  Qwb  into 
CQ,  which  has  as  its  image  the  well-bracketed  and 
control-blind  strategies. 

Proof:  For  any  a  :  A  €.  Qwb  define  a  to  be  the  least 
subset  oi  Ca  containing  e  and  closed  under  the  follow¬ 
ing  condition: 

If  s  €  a,  and  |sa6|  e  a  and  b  is  contingent  on 
pending(sa)  then  sab  e  a. 

Then  cr  is  a  well-bracketed  strategy  (well-bracketedness 
of  cr  implies  that  every  answer  is  contingent  on  its  jus¬ 
tifying  question)  and  (_)  is  compositional  and  preserves 
cartesian  closed  structure.  For  any  r  €  Q"^^ ,  \t\  =  t, 
^d  for  any  well-bracketed  and  control-blind  cr  e  CQ, 
|cr|  =  cr.  □ 

4  Semantics  of  Exceptions 

The  interpretation  of  locally  bound  exceptions  given 
here  is  based  on  viewing  elements  of  exception  type 
h  :  exn  as  ‘objects’  defined  by  their  ‘methods’  —  in 
this  case  raise  h  :  conun  and  handle  h  :  conun  =>  comm. 
This  was  suggested  as  an  interpretation  for  reference 
types  by  Reynolds  [15]  and  followed  in  a  game  seman¬ 
tics  setting  in  [1,  5]. 

The  type  exn  is  interpreted  as  the  arena  exn  = 
(M  [conun])  X  |0|  (where  [comm]  is  the  arena  with 


one  question  and  one  answer,  and  |0]  is  the  arena  o 
with  just  a  question) .  The  initial  questions  in  the  two 
components  [0]  [comm]  and  |0]  will  be  referred  to 
as  handle  and  raise  respectively.  The  answer  to  handle 
will  be  referred  to  as  caught,  and  the  question  enabled 
by  handle  as  ok.  The  handle  and  raise  methods  are  the 
first  and  second  projections  from  exn;  mkexn  is  pairing. 

[F  h  handle  M  AT]  =  ([F  h  M|; tt;,  [F  h  A^]);  App 

[F  h  raise  M  :  5]  =  [F  h  M|;  tt,;  Wk|Bj 

[F  h  mkexn  M  A^]  =  ([F  h  M|,  [F  h  A^]) 

(Where  Wk^  :  o  =>  A  is  the  strategy  which  responds 
to  the  initial  question  in  A  with  the  unique  question 
in  o.)  Thus  the  only  part  of  I  Ax  which  is  not  repre¬ 
sented  by  a  control-blind  and  well-bracketed  strategy  is 
new-exception  declaration.  This  is  defined  using  com¬ 
position  with  a  strategy  xcell  (similar  to  the  strategy 
cell  which  gives  the  denotation  of  new  [1])  that  uses 
contingency  pointers  in  an  essential  way  to  match  up 
raises  and  handles  appropriately,  via  the  notion  of  an 
open  question. 

Definition  4.1  The  set  of  prefixes  of  a  control  se¬ 
quence  which  terminate  in  an  open  question  is  defined 
by  induction  on  length,  as  follows: 
open(e)  =  {}, 

open(sa)  =  {so},  if  a  is  not  contingent, 
if  b  is  contingent  on  a,  then: 
open{satb)  =  open(s)  if  X^^{b)  =  A, 
open(sat6)  =  open(so)  U  {so  •  tb],  otherwise. 


|0  comm]  X  |0] 

/  handle 


'  raise 

/ 

caught . . . 

Figure  2.  A  typical  play  of  xcell 

A  “typical  play”  of  xcell  is  depicted  in  Figure  2  (ar¬ 
rows  are  contingency  pointers).  Its  behaviour  can  be 
described  informally  as  follows. 

•  If  Opponent  plays  a  handle  move  then  xcell  re¬ 
sponds  with  an  ‘ok’  move,  justified  by  (and  con¬ 
tingent  on)  it. 
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•  If  Opponent  plays  a  raise  move  and  some  handle 
moves  are  open,  then  xcell  answers  the  most  re¬ 
cently  played  one.  If  there  is  no  open  handle  ques¬ 
tion,  then  xcell  docs  nothing  —  this  represents  di¬ 
vergence  caused  by  an  uncaught  exception. 

Definition  4.2  Let  the  strategy  xcell  :  exn  be  the  least 
subset  ofCexn  containing  e  and  closed  under  the  follow¬ 
ing  conditions: 

if  s  £  xcell,  then  s  ■  handle  •  ok  G  xcell  (where  ok  is  con¬ 
tingent  on  s  ■  handle^, 

if  t  £  xcell,  and  s  ■  handle  £  open(<  ■  raise),  and  for  all 
r  ■  handle  £  open(f  •  raise),  r  C  s,  then  t  ■  raise  ■  caught  £ 
xcell,  where  caught  is  contingent  on  s  ■  handle. 

|r  h  new_exnM]  =  (|r  h  M]  x  xcell);  App. 

4.1  Soundness 

Soundness  of  the  interpretation  with  respect  to  the 
operational  semantics  can  now  bo  established;  the  only 
novel  feature  of  the  proof  is  that  it  requires  meanings 
to  be  assigned  to  programs  which  raise  exceptions. 
Given  M  :  comm  or  M  :  nat,  S  =  ei,...e„, 
C  =  and  k  <m  such  that  S{xi)  f.  if  and 

only  if  i  <  fc,  let  new£  :=  S  in  M 
new  Axi  . .  .newA.r,„.mi  S{x\_)\ . .  .-^Xk  :=  S(xk);M. 
Then  |A/,  £,£,<S]  is  the  unique  maximal-length 
sequence  in  [ei, . . . ,  e,,  h  new  £  :=  5  in  A/]  such  that 
sfexn’'  £  xcell". 

Soundness  is  proved  (by  induction  on  derivation, 
using  standard  facts  about  the  model  together  with 
analysis  of  xcell)  with  respect  to  the  following  binary 
approximation  relation  (~): 

|A/,  £,£,5J  ~  [Af',  £',£',  5']  if  the  last  move 

in  [Af,  £,£,5J  is  the  same  as  the  last  move  in 
IA/',£',£',5'1. 

Proposition  4.3  If  M,L,C,S  Jj.  D,E’,C',S'  then 
[Af,£,£,5|~lD,£',£',<S'l. 

The  interpretation  is  also  adequate.  This  follows  di¬ 
rectly  from  soundness  and  termination  of  all  evalua¬ 
tions  of  Y-free  terms  (Proposition  2.1). 

Proposition  4.4  For  any  lAx  program  M  :  comm, 
|A/]  ^  1.  if  and  only  if  M  Jj.  skip. 

Proof:  The  proof  of  completeness  is  by  induction  on 
the  number  of  occurrences  of  Y  in  M.  Suppose  |A/|  ^ 
-L.  By  ])roposition  2.1  A/  Jj.  D  for  some  D,  and  D  = 
skip  by  soundness.  If  M  —  C[YA']  for  some  Y-free  N, 
then  C[YN]  =  'll  ^  ^ 

^t-+i  ^  ^  y  Hence  7^  T  for  some  k  £  lj  and 

by  induction  C[A^^']  Jj-  and  an  induction  on  derivations 
show's  that  C[YN]  Jj.  □ 


5  A  Fully  Abstract  Model 

An  adequate  model  of  lAx  with  exceptions  has  been 
described  which  is  not  fully  abstract  because  it  lacks 
the  following  ‘definability  property’. 

Definition  5.1  A  model  M  of  lAx  has  the  definabil¬ 
ity  property  if  for  every  context  T  and  type  T ,  every 
(compact)  f  :  fr|  — >  |r|  in  M  is  definable;  i.e.  there 
exists  an  lAx  term  Mj  such  that  /  =  |r  h  Mj  :  TJ. 

In  this  section,  the  category  of  control  games  will  be  cut 
down  so  that  all  compact  strategies  arc  definable  in  lAx 
by  giving  a  scries  of  semantic  definability  criteria,  and 
hence  a  full  abstraction  result  will  be  achieved.  The 
criteria  arc  based  on  constraining  three  aspects  of  be¬ 
haviour  on  control  games;  which  moves  Player’s  contin¬ 
gency  pointers  can  point  to  (a  variant  of  the  bracketing 
condition),  which  moves  Player’s  justification  pointers 
can  point  to  (a  variant  of  the  visibility  condition  [9]) 
and  a  new  condition  governing  which  of  Opponent’s 
contingency  pointers  can  be  observed  by  Player. 

Definition  5.2  (Weak  Bracketing)  A  strategy  a  is 
weakly  bracketed  if  every  Player  move  in  a  is  contin¬ 
gent  on  an  open  question  —  i.e.  if  sb  £  a  where  b  is 
contingent  on  ta  C  sb  then  ta  £  open(.s). 

The  notion  of  view,  defined  for  justified  sequences  in  [9], 
extends  to  control  sequences  in  line  with  the  intuition 
that  when  Player  makes  a  move  contingent  on  an  earlier 
mov(>  it  may  be  regarded  as  if  they  ocurred  in  direct 
succession. 

Definition  5.3  (View)  The  Player-view  of  a  control 
sequence,  is  defined  as  follows: 

'~S(F  —  a,  if  a  is  initial. 

''sotlP  =  ’'sePb  if  b  is  an  O-move.  justified  by  a, 

''satlP  =  ''sa~'b  if  b  is  a  P-q%i.e.sti.on  contingent  on  a, 

^ satlP  —  if  b  is  a  P-answer  to  a. 

This  accords  with  the  original  notion  of  views  given 
in  [9]  in  that  for  any  well-bracketed  strategy  cr  £  CQ, 
s  £  (7  implies  that  '~s~'  =  '"Ia'P.  It  “dualizes”  to  a  notion 
of  D-view  (l-j)  as  in  [9]. 

Definition  5.4  (Visibility)  A  strategy  (in  CQ  or  Q) 
sati.sfie.s  the  visibility  condition  if  for  every  s  £  a, 
’’.s’’  is  a  well-defined  justified  sequence.  The  cartc.sian 
closed  subcategory  Q  of  we.ll-bi'acketed  strategics  satis¬ 
fying  visibility  will  be  written  Q\  b- 

A  (well-bracketed)  strategy  a  satisfies  visibility  if  and 
only  if  |(t|  satisfies  visibility.  Hence  the  embedding  of 
Qwn  into  CQ  restricts  to  Gvb- 

The  third  definability  criterion  limits  the  power  of 
Player  to  observe  contingency  pointers.  (It  corresponds 
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to  the  fact  that  in  lAx  the  only  way  to  observe  excep¬ 
tion  handling  is  by  raising  and  handling  a  competing 
exception.) 

Let  satb  be  a  control  sequence  in  which  6  is  a  P-move 
contingent  on  a,  and  let  rc  C  satb  where  c  is  a  0-move. 
Then  c  is  prematurely  closed  by  6  if  rc  €  open(saf)  and 
rc  ^  open  (so).  Player’s  perspective  on  a  control  se¬ 
quence  is  obtained  by  deleting  the  contingency  point¬ 
ers  which  are  not  attached  to  0-questions  prematurely 
closed  by  some  P  move.  It  can  be  defined  concisely 
(for  extensions  to  control-sequences)  as  follows: 

Cel  =  e, 

If  b  is  contingent  on  o,  then  [saf6]  =  [s'|a[’f]6,  where 
the  pointer  from  fo  to  a  is  included  if  and  only  if  a  is  a 
P-question,  and  all  of  the  pointers  from  aft]  into  s  are 
omitted. 

Definition  5.5  A  strategy  is  control-innocent  if  when¬ 
ever  sab,t  E  a  and  [sah]  =  \tab],  then  tab  E  a. 

Proposition  5.6  If  a  is  well-bracketed  and  control- 
innocent  then  a  is  control-blind. 

Proof:  If  ct  is  a  well-bracketed  strategy,  then  [s]  =  |s| 
as  a  closes  only  pending  0-questions.  □ 

Hence  the  image  of  the  embedding  of  Qvb  into  CQ  con¬ 
sists  of  the  well-bracketed  strategies  satisfying  visibil¬ 
ity  and  control-innocence.  The  following  proposition  is 
just  a  straightforard  extension  of  the  definability  theo¬ 
rem  for  lA  [1]  to  include  the  base  type  exn. 

Proposition  5.7  All  finite  strategies  in  Qvb  over 
lAx  -  {new.exn}  type-objects  are  definable  in  lAx  - 
{new_exn}. 

Corollary  5.8  The  (compact)  definable  strategies  of 
lAx  -  {new.exn}  are  the  well-bracketed  and  control- 
innocent  finite  strategies  which  satisfy  visibility. 

5.1  Factorization  and  Definability 

The  finite,  weakly-bracketed,  visibility-satisfying 
and  control-innocent  strategies  can  now  be  identified 
as  the  compact  lAx-definable  morphisms  by  showing 
that  they  are  obtained  by  composing  xcell  with  the 
well-bracketed  and  and  control  blind  strategies. 

Definition  5.9  Define  Ct//xceii  to  be  the  cartesian 
closed  subcategory  of  control  games  in  which  morphisms 
are  finite  strategies  f  :  A  ^  B  such  that  there  exists 
k  E  to  and  a  well-bracketed  strategy  g  :  A  x  exn*  — >•  B 
such  that  id  x  xcell*; ^  =  /. 

Proposition  5.10  The  compact  elements  ofCQ  which 
are  definable  in  LAx  are  precisely  the  morphisms  of 
^5/xceII  • 


Proof:  It  is  straightforward  to  establish  by  structural 
induction  on  M  that  every  [P  h  M  :  T]  is  the  least  up¬ 
per  bound  of  a  chain  of  approximants  in  C5/xceii- 
Conversely,  if  a  :  [PJ  ->■  [T]  is  a  morphism  in 
CG/xceW  then  there  is  a  well-bracketed  —  and  hence 
lAx-  {new.exn}  definable  —  strategy  S’ :  |r]  x  exn*  ->■ 
{A  ^  B)  such  that  cr  =  id|r]  x  xcell*; S,  and  hence 
O'  =  |r  h  new.exn  Aa;i  . . .  new.exn  Xxk.M^l-  □ 

Proposition  5.11  A  strategy  is  mC5/xceii  if  and  only 
if  it  is  finite,  weakly-bracketed,  control-innocent  and 
satisfies  visibility. 

Proof  of  this  proposition  comes  in  two  parts;  first  it  is 
shown  that  if  a  :  exn  — >  A  satisfies  weak-bracketing, 
control-innocence  and  visibility  then  so  does  xcell;  cr, 
which  is  a  consequence  of  the  following  two  lemmas. 

Lemma  5.12  Suppose  a  :  exn  =►  A  and  sa  E  a  is 
such  that  a  is  a  move  in  A,  and  sjexn  E  xcell.  Then 
open(sa)fMyi  =  open(sarA)  and  =  '‘sorA’'. 

Lemma  5.13  Suppose  cr  :  exn  A  is  control- 
innocent,  and  sab,t  E  a  where  s  (exn, t  (exn  E  xcell 
and  b  is  a  move  in  A  such  that  {saSfA]  =  \tab\A]. 
Then  tab  E  a. 

The  second  part  of  the  proof  of  Proposition  5.11  is  to 
show  that  all  weakly-bracketed  strategies  can  be  ob¬ 
tained  from  well-bracketed  strategies  by  composition 
with  xcell  (so  in  fact  the  stronger  result  that  every  com¬ 
pact  strategy  can  be  defined  using  a  single  exception 
variable  is  established).  This  is  achieved  by  methods 
similar  to  the  factorizations  described  in  [1,  10,  5,  8], 
in  this  case  using  the  jump  in  control  between  the  raise 
and  caught  moves  of  xcell  to  generate  all  of  the  control 
jumps  in  a  weakly-bracketed  strategy.  The  complicat¬ 
ing  factor  is  that  the  properties  of  control-innocence 
and  visibility  must  be  maintained.  In  particular,  forc¬ 
ing  Opponent  to  close  questions  instead  of  Player  hides 
their  contingency  pointers  —  as  has  already  been  ob¬ 
served,  well-bracketed  strategies  cannot  observe  any 
pointers  at  all.  So  it  is  necessary  to  make  all  of  the 
information  carried  by  the  perspectives  of  a  manifest 
as  explicit  exception  handling. 

The  factorization  of  a  strategy  a  :  B  to  a  :  exn  ->  B 
by  adding  handle,  ok  and  raise,  caught  moves  in  exn  (see 
Figure  3),  can  be  informally  described  as  follows. 

•  Immediately  before  playing  a  question  in  A,  a 
plays  a  handle  move  (contingent  on  the  pending 
question),  to  which  Opponent  responds  with  ok. 

•  If  cr  responds  to  sa  by  playing  a  move  b  which 
prematurely  closes  n  Opponent  moves  then  a  re¬ 
sponds  to  sa  by  playing  n  raise  moves  —  each  of 
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which  is  caught  by  a  handler  corresponding  to  one 
of  the  0-moves  which  are  closed  by  b  —  until  all  of 
these  0-moves  have  been  closed.  If  b  is  an  answer 
then  d  plays  b  contingent  on  the  pending  question; 
if  6  is  a  qnestion,  then  a  plays  a  handle  (as  above) 
and  then  plays  b  pointing  to  the  pending  question. 

Note  that  as  all  of  the  contingency  pointers  from  the 
control-view  of  a  are  used  to  match  up  the  raises  and 
handles,  they  are  now  observable  as  play  in  the  premiss 
exn. 

Proposition  5.14  (Control  Factorization)  If  a  : 

A  is  a  finite,  weakly-bracketed  and  control-innocent 
strategy  (satisfying  visibility)  then  there  is  some  finite, 
well-bracketed  strategy  d  :  exn  — >  A  (satisfying  visibil¬ 
ity)  such  that  xcell;?  =  cr. 

Proof:  is  by  defining  5  =  {t  s  |  ,s  £  a),  where 

(-)  :  Ca  -t  CexHTi-A  is  a  translation  on  even-length  con¬ 
trol  sequences  such  that: 

•  =  s  and  sfexu  £  xcell, 

•  every  Player  move  in  s  is  contingent  on  the  pend¬ 
ing  question, 

•  if  ’’s’’  is  well-defined  then  so  is 

•  [s]  =  ft]  if  and  only  if  S'  =  t. 

For  an  even-length  sequence  s,  let  be  the  number 
of  0-questions  prematurely  closed  by  the  last  move  in 
s.  Now  define  S  by  induction  on  sequence  length: 
s  =  e, 

spq  =  Sp(raisecaught)''''i®'’''i(handleok)(7, 
spa  =  Sp(raisecaught)’^''i*P‘'io, 

where  =  Q,  and  A‘^'''(n)  =  .4.  □ 


5.2  Full  Abstraction 

In  a  now-standard  fashion,  definability  for  the  com¬ 
pact  elements  of  the  model  of  lAx  yields  full  abstrac¬ 
tion  for  its  “intrinsic  preorder  collapse”.  Moreover,  this 
fully  abstract  model  can  be  described  directly,  showing 
that  it  is  effectively  presentable. 

Definition  5.15  Given  strategies  a,T  :  ,4,  a  <..i  r  if 
for  every  well-bracketed  strategy 
p  :  A  ^  Icomm],  cr; p  ^  {e}  implies  T;p^  {s}. 
a  =  T  if  a  <  at  and  t  <a  (r. 
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Figure  3.  Factorization  of  a  control  jump 


In  fact,  the  equationally  fully  abstract  model  can  be 
directly  ])rcsented  simply  by  including  visibility  and 
bracketing  in  the  definition  of  a  legal  play. 

Definition  5.17  An  alternating  control  sequence  s 
over  an  arena.  A  is  legal  if  both.  Player  and  Oppo¬ 
nent  satisfy  the  weak-bracket.ing  and  tiisibility  condi¬ 
tions:  i.e. 

sn  £  La  if  and  only  if  s  £  La  and  if  a  is  contingent  on 
b  then  b  £  open(.s),  and  '~so~'  and  L.snj  are  both  wc.ll- 
fonned  ju.stified  sequences. 

For  a  :  .4,  virite  L{a)  for  a  n  La  ■ 

Lemma  5.18  For  any  ct.t  :  .4,  L{a)  C  L(r)  if  and 
only  if  a  <  at. 

Proof:  To  i)rove  the  implication  from  right  to  left 
(showing  that  control-innocence  does  not  affect  the  in¬ 
trinsic  preorder)  suppose  L{a)  2  A(r).  Let  sb  £  tj  be  a 
minimal-length  control  seciuence  such  that  sb  ^  r.  L('t 
q  l)e  the  initial  (piestion  in  comm  and  u  its  answer),  and 
define: 


Theorem  5.16  (Full  Abstraction)  For  any  closed. 
term.s  M,  N  :  T,  |M|ce  =  {Njcg  if  and  oiily  if  M  ~  N. 
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p  :  A-^  |comm]  =  {f  £  C.i^jcomm]]  I  If^l  E*''’'''  ['/•'''H} 

Then  p  is  by  rlefinition  a  control-innocent  strategy  such 
that  p;a  ^  {c}.  Moreover,  p:  r  =  {c}  -  if  sc  £  p  then 


either  |sc|  7^  |s6|  or  c  and  b  are  contingent  on  different 
moves,  and  hence  \qsca\  7^  [gsbo].  □ 

6  Contingency  and  Expressiveness 

The  complex  structure  of  control  games  provokes 
the  question:  Are  contingency  pointers  really  neces¬ 
sary  to  model  exceptions?  The  category  Q  contains 
models  of  a  wide  range  of  sequential  features,  includ¬ 
ing  both  references  [1,  5]  and  call/cc  [10,  11]  at  all 
types.  Might  there  not  be  a  semantics  of  exceptions  in 
Q1  Part  of  the  interest  in  this  question  arises  because 
it  is  closely  related  to  a  problem  which  is  both  inde¬ 
pendent  of  semantics,  and  an  area  of  current  research 
interest:  When  can  one  combination  of  programming 
language  features  be  macro-expressed  in  terms  of  an¬ 
other  [17,  18]?  For  example,  it  is  “folklore”  [18]  that 
exceptions  may  be  expressed  in  terms  of  continuations 
and  references.  As  both  of  the  latter  can  be  modelled 
in  Q,  if  the  folklore  were  true  then  a  semantics  of  ex¬ 
ceptions  in  Q  could  be  given  by  factoring  through  this 
interpretation.  On  the  other  hand,  given  a  model  of 
exceptions,  continuations  and  references  in  Q  it  should 
be  possible  to  use  the  a  combination  of  the  definability 
results  for  references  and  continuations  to  extract  an 
encoding  of  exceptions. 

In  fact,  it  is  not  possible  to  give  a  semantics  of  ex¬ 
ceptions  which  is  a  conservative  extension  of  the  model 
of  lA  in  Q,  and  hence  it  is  not  possible  to  macro-express 
exceptions  using  continuations  and  references.  A  paper 
is  in  preparation  which  contains  formal  proofs  of  the 
latter  claim,  using  syntactic  counterexamples  extracted 
from  the  game  semantics  of  exceptions,  continuations 
and  references.  This  section  will  sketch  a  proof  of  the 
former  claim,  showing  how  differences  in  contingency 
structure  can  cause  differences  in  observable  behaviour. 
A  starting  point  is  the  observation  there  are  strategies 
which  contain  the  same  underlying  justified  sequences, 
but  are  observationally  distinct  because  they  have  dif¬ 
ferent  contingency  pointers.  A  simple  arena  in  which 
this  may  be  observed  is  (o  =>  o)  =7  (o  =>  o))  which  will 
be  called  Ai  for  short;  it  is  the  denotation  of  the  type 
Ti  =  (0  =7  0)  =>  (0  =7  0).  Recall  that  in  the  identity 
strategy  on  o  =7  o  (Figure  1)  Player  moves  are  always 
contingent  on  the  preceding  0-move. 

Proposition  6.1  There  is  a  weakly  bracketed, 
visibility-satisfying  and  control-innocent  strategy 
notJd  :  Ai  such  that  jnotJdj  =  |ido=>o|  but  id  ^  notJd. 

Proof:  Let  notJd  be  the  strategy  consisting  of  the 
even  prefixes  of  the  play  depicted  in  Figure  4.  Then 
|notjdo=j.o|  =  |ido=>o|  but  notJd  ^  id  by  Lemma  5.18. 

□ 


Moreover  (as  the  definability  and  full  abstraction 
results  imply)  not-id  and  id  are  the  denotations  of 
terms  which  are  not  observationally  equivalent: 
id  =  [A/./],  notJd  =  INOTJD]  where  NOTJD  = 
A/.Ax.new.exn  A/i. (handle  h  (/  raise  /i));  x. 

NOTJD  iL  A/./;  let  ID.TEST  :  Tj  =7  comm  = 
A^.new.exn  A:. handle  k  {{{g  Ar.handle  k  x)  raise  k);  fl) 
ID.TEST  NOTJD  if  skip  and  ID.TEST  A/./  if.  skip. 

The  distinction  between  notJd  and  id  can  be  used 
to  show  that  there  is  no  model  of  I  Ax  in  Q. 

Definition  6.2  Define  the  Q -strategy  idtrunc  :  Ai  — ^ 
Ai  =  {te  \  t  e  id^i  A  t\A^  =  t\Af  E  ido^o} 

As  the  definability  result  of  [1]  entails,  idtrunc  is  defin¬ 
able  as  a  term  of  Idealized  Algol: 

TRUNC  =  \g  :  T.nev  Xz.Xf.Xx.z  :—  0-{{g  Mi)  M2), 
where  Mi  =  Ai/.IFO  \z  then  {z  :=  1;  {f  y))  else  D)  and 
M2  =  IFO  \z  then  D  else  x. 

Lemma  6.3  For  all  a  :  Ai  in  Q,  idtrunc  <.4j  ido=-.o 

Proof:  This  is  direct  by  definition  of  idtrunc.  □ 

In  CQ,  notJd;  idtrunc  =  notJd  ^.41  ido=s.o  —  and  this 
fact  can  be  exploited  to  prove  the  following. 

Proposition  6.4  There  is  no  adequate  model  of  lAx 
in  Q  which  conservatively  extends  the  semantics  of  I  A. 

Proof:  Suppose  there  is  such  an  interpretation. 
Then  ID.TEST  (TRUNC  NOT.ID)  J)  skip  im¬ 
plies  that  [ID.TEST  (TRUNC  NOTJD)lg  7^  J., 
and  hence  ([NOT.ID]g;  idtrunc);  [ID.TESTjg  f  J.. 
By  Lemma  6.3,  |A/./]g;  [ID.TESTjg  f  X,  and  so 
[ID.TEST  Xf.fjg  7^  X.  But  this  contradicts  adequacy, 
as  ID.TEST  A/./  if  skip.  □ 

6.1  Further  Directions 

By  demonstrating  that  the  games  semantics  of  ex¬ 
ceptions  requires  new  structure,  unlike  the  models  of 
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Figure  4.  A  typical  play  of  notJd 
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references  and  continuations,  we  have  shown  the  lim¬ 
itations  of  the  “semantic  cube”  [4]  of  models  of  pro¬ 
gramming  language  features  based  simply  upon  relax¬ 
ing  constraints  on  the  original  model  of  PCF.  But  the 
basic  analyis  implicit  in  the  cube  is  strengthened  by 
the  new  structure  —  in  effect,  we  have  added  an  extra 
dimension  to  it.  The  extra  degree  of  freedom  available 
in  the  category  of  control  games  can  be  exploited  to 
give  a  thorough  analysis  of  the  interactions  between 
exceptions,  continuations  and  references.  The  latter 
can  be  modelled  by  dropping  the  “visibility  condition” 
in  the  style  of  [1]  to  reach  a  fully  abstract  semantics 
of  “core  ML” .  (It  is  straightforward  to  move  to  a  call- 
by-value  perspective  by  using,  for  instance,  the  Fam(C) 
construction  [2].) 

To  allow  call/cc  to  be  interpreted,  the  weak  brack¬ 
eting  condition  is  relaxed.  In  this  model,  throwing  a 
continuation  and  and  handling  an  exception  both  cor¬ 
respond  to  playing  a  move  which  is  not  contingent  on 
the  pending  question;  the  distinguishing  feature  of  ex¬ 
ceptions  is  that  they  allow  contingency  pointers  to  bo 
observed.  The  most  interesting  feature  of  the  model  is 
that  (unlike  the  model  of  continuations  in  Q  [11])  it  is 
not  an  example  of  continuation-passing-style  construc¬ 
tion;  it  contains  observably  distinct  strategies  which 
represent  terms  which  are  equivalent  in  all  cps  models. 
These  terms  constitute  a  further  counterexample  to  the 
claim  that  exceptions  can  be  expressed  using  continu¬ 
ations,  which  can  be  presented  wihtout  recourse  to  the 
game  semantics. 
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Abstract  Wfe  propose  a  notion  of  interval  object  in  a  cat¬ 
egory  with  finite  products,  providing  a  universal  property 
for  closed  and  bounded  real  line  segments.  The  universal 
property  gives  rise  to  an  analogue  of  primitive  recursion  for 
defining  computable  functions  on  the  interval.  We  use  this 
to  define  basic  arithmetic  operations  and  to  verify  equations 
between  them.  We  test  the  notion  in  categories  of  interest. 
In  the  category  of  sets,  any  closed  and  bounded  interval  of 
real  numbers  is  an  interval  object.  In  the  category  of  topo¬ 
logical  spaces,  the  interval  objects  are  closed  and  bounded 
intervals  with  the  Euclidean  topology.  We  also  prove  that  an 
interval  object  exists  in  any  elementary  topos  with  natural 
numbers  object. 

1  Introduction 

In  set  theory,  one  can  implement  the  real  numbers  in 
many  ways.  For  example,  one  can  use  Dedekind  sections  or 
equivalence  classes  of  Cauchy  sequences  of  rational  num¬ 
bers.  But  what  is  it  that  one  is  implementing?  Assuming 
classical  logic,  either  implementation  produces  a  complete 
Archimedian  field  and,  moreover,  any  two  such  fields  are 
isomorphic.  In  fact,  for  the  purposes  of  classical  analysis, 
one  never  uses  a  particular  mathematical  implementation  of 
the  reals.  One  relies  instead  on  the  specification  of  the  real- 
number  system  as  a  complete  Archimedian  field  and  works 
axiomatically.  The  only  purpose  of  particular  implementa¬ 
tions  is  to  be  reassured  that  there  is  at  least  one  such  field. 

Unfortunately,  when  one  tries  to  carry  out  such  a  pro¬ 
gramme  in  other  foundational  settings,  difficulties  arise. 
One  obstacle  is  that  the  categoricity  of  this  axiomatization 
relies  on  the  principle  of  excluded  middle,  which  is  not  al¬ 
ways  available,  particularly  in  settings  that  are  relevant  to 
the  theory  of  computation.  Further,  one  may  criticize  the 
axiomatization  on  the  grounds  that,  although  it  is  aiming 
to  characterize  the  real  line,  which  is  fundamentally  a  geo¬ 
metric  structure,  it  makes  essential  use  of  abstract  concepts, 
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such  as  suprema  of  bounded  sets  of  points,  whose  geomet¬ 
ric  meaning  is  unclear.  In  addition,  the  field  axioms  involve 
operations,  such  as  multiplication  and  reciprocation,  which 
one  might  rather  see  as  derived  from  more  primitive  con¬ 
structions. 

A  further  objection  to  the  field  axiomatization  is  its  lack 
of  explicit  computational  content.  To  develop  a  theory 
of  computability  in  the  sense  of  Turing  [32],  one  has  to 
start  by  effectively  presenting  a  particular  implementation 
of  the  field  of  real  numbers.  For  example,  one  can  imple¬ 
ment  real  numbers  as  Cauchy  sequences  of  rational  num¬ 
bers  with  fixed  rate  of  convergence  [3].  Then  one  has  to  ar¬ 
gue  that  the  basic  field  operations  are  computable  and  that 
various  methods  of  defining  new  functions  from  old  pre¬ 
serve  computability — see  e.g.  Weihrauch  [34].  With  this 
approach,  computability  arguments  involve  heavy  manipu¬ 
lation  of  Godel  numberings,  which  are  detached  from  the 
usual  practice  of  real  analysis. 

The  above  contrasts  with  the  natural  numbers,  where 
primitive  recursion,  the  basic  computational  mechanism,  is 
not  only  embodied  in  their  usual  Peano  axiomatization  but 
can  also  be  taken  as  their  defining  property.  An  elegant  for¬ 
mulation  of  such  an  axiomatization  was  given  by  Lawvere 
in  his  definition  of  a  natural  numbers  object  [22].  This  style 
of  axiomatization  has  been  adopted  for  other  inductively  de¬ 
fined  data  types,  such  as  lists  and  trees,  which  admit  canon¬ 
ical  forms  of  recursion  that  reflect  their  characterization  as 
initial  algebras.  Dually,  infinite  data  types,  such  as  streams, 
are  characterized  as  final  coalgebras,  with  corresponding 
forms  of  corecursion.  This  formulation  of  data  types  has 
been  convincingly  exploited  by  Bird  and  de  Moor  in  their 
algebraic  approach  to  programming  [2]. 

To  place  the  real  numbers  into  the  above  framework,  one 
requires  a  notion  of  real  number  data  type  whose  defining 
property  embodies  primitive  mechanisms  for  recursion  over 
the  reals.  In  this  paper,  we  present  such  an  axiomatization 
for  closed  and  bounded  line  segments,  or  interval  objects 
for  short.  We  characterize  interval  objects  by  a  universal 
property  that  captures  a  basic  geometrical  notion  and  si- 
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multaneously  provides  a  computational  notion  of  recursion. 
Thus,  remarkably,  our  axiomatization  reconciles  geometri¬ 
cal  and  computational  conceptions  of  the  line. 

In  brief,  our  axiomatization: 

(i)  is  based  on  elementary  geometrical  considerations, 

(ii)  has  direct  computational  content, 

(iii)  applies  in  a  wide  variety  of  settings, 

(iv)  gives  what  one  would  expect  in  specific  examples. 

Regarding  (i),  we  take  a  midpoint  operation  as  the  ba¬ 
sic  structure  of  line  segments,  with  four  axioms  that  corre¬ 
spond  to  intuitive  geometric  properties.  We  define  a  convex 
body  as  a  midpoint  algebra  in  which  the  midpoint  operation 
can  be  infinitely  iterated,  in  a  precise  sense  discussed  in  the 
technical  development  that  follows.  Then  an  intetx'al  object 
is  defined  to  be  a  free  convex  body  over  two  generators,  its 
endpoints.  Geometrically,  the  free  property  amounts  to  the 
fact  that  any  two  points  of  a  convex  body  arc  connected  by 
a  unique  line  segment. 

Regarding  (ii),  the  free  property  gives  rise  to  an  analogue 
of  primitive  reeursion  for  defining  computable  functions  on 
the  interval.  In  particular,  we  use  this  to  define  basic  arith¬ 
metic  operations  and  to  verify  equations  between  them. 

Regarding  (iii),  we  make  as  few  ontological  commit¬ 
ments  as  possible  by  formulating  our  definitions  in  the  gen¬ 
eral  setting  of  a  category  with  finite  products.  Nevertheless, 
to  make  the  paper  accessible  to  readers  who  arc  uncomfort¬ 
able  with  category  theory,  we  use,  as  far  as  possible,  stan¬ 
dard  algebraic  notation,  so  that  everything  we  say  can  be 
easily  understood  in  familiar  mathematical  terms.  Indeed, 
when  specialized  to  categories  such  as  sets  and  topological 
spaces,  our  definitions  assume  rather  concrete  meanings. 

Regarding  (iv),  we  have:  (1)  In  the  category  of  sets,  any 
closed  and  bounded  interval  of  real  numbers  is  an  inter¬ 
val  object  (Theorem  1).  (2)  In  the  category  of  topologi¬ 
cal  spaces,  any  closed  and  bounded  interval  under  the  usual 
Euclidean  topology  is  an  interval  object  (Theorem  2).  Thus, 
our  axiomatization  of  line  segments  exhibits  the  Euclidean 
topology  as  intrinsic  rather  than  imposed  structure,  because 
it  is  this  topology  that  gives  rise  to  an  interval  object.  This 
is  interesting  in  connection  with  the  often  cited  fact  that  the 
computable  functions  on  the  reals  are  continuous.  (3)  In 
any  elementary  topos  with  natural  numbers  object,  an  inter¬ 
val  object  is  given  by  the  Cauchy  completion  of  the  inter¬ 
val  of  Cauchy  reals  within  the  Dcdckind  reals  (Theorem  3). 
In  many  cases  this  coincides  with  the  Cauchy  or  Dcdckind 
intervals;  but,  in  general,  we  seem  to  be  identifying  an  in¬ 
triguing  new  intuitionistic  notion  of  real  number.  For  details 
see  Section  9.  Some  other  possible  settings  arc  discussed 
briefly  in  Section  10. 

For  lack  of  space,  all  proofs  arc  omitted  from  this  ex¬ 
tended  abstract. 


Related  work  This  paper  has  its  origins  in  the  first  au¬ 
thor’s  work  on  exact  real  number  computation  [10,  11).  In 
this  approach,  real  numbers  arc  represented  by  concrete 
computational  structures  such  as  streams,  allowing  com¬ 
putations  to  be  performed  to  any  desired  degree  of  accu¬ 
racy  [35,  6,  4,  5,  33].  Of  particular  relevance  to  our  work 
is  the  issue  of  obtaining  an  abstract  data  type  of  real  num¬ 
bers,  in  which  the  underlying  computational  representation 
is  hidden  [5,  8,  10,  1 1], 

In  the  programming  language  Real  PCF  [10],  the  ab¬ 
stract  data  type  is  based  on  simple  real  number  construc¬ 
tors  and  destructors.  Mathematically,  the  constructors  are 
unary  midpoint  operations  ,t  h->  0  Q)  x  and  ,r  x  (D  1  on 
the  unit  interval  [0, 1],  where  x  (B  y  =  (:r  -b  y)/2  is  the 
binary  midpoint  operation.  These  primitives  arc  u.scd  by 
Escardo  and  Strcichcr  [II]  to  characterize  the  interval  data 
type  by  a  universal  property,  from  which  structural  recur¬ 
sion  mechanisms  for  real  numbers  arc  obtained.  Thus,  this 
work  achieves  many  of  the  aims  of  the  present  paper.  How¬ 
ever,  it  crucially  relics  on  general  recursion  and  the  conse¬ 
quent  presence  of  partiality.  Indeed,  the  interval  data  type 
includes  partial  real  numbers  as  essential  ingredients  of  its 
characterization,  and  the  characterization  only  works  in  a 
domain-theoretic  setting. 

The  goal  of  the  present  work  is  to  obtain  a  characteriza¬ 
tion  of  the  real  numbers  that  applies  to  a  variety  of  compu¬ 
tational  settings,  including  those,  such  as  intuitionistic  type 
theory  [25],  in  which  only  total  functions  arc  available.  Al¬ 
though  such  a  programme  has  not  been  undertaken  previ¬ 
ously,  algebraic  and  coalgebraic  techniques,  similar  to  the 
ones  used  in  the  present  paper,  do  occur  in  previous  axiom- 
atizations  of  the  reals, 

Higgs  [14]  defines  magnitude  algebras  and  proves  that 
the  interval  [0,  oc]  endowed  with  the  function  x  x/2  and 
the  summation  operation  ^  :  [0,  oo]“^  — >•  [0,  cxd]  is  the  mag¬ 
nitude  algebra  freely  generated  by  1.  His  definition  is  purely 
cquational  and  is  based  on  binary  expansions  of  numbers. 
Although  our  work  has  some  connections  with  Higgs’,  es¬ 
pecially  regarding  the  idea  of  using  an  infinitary  operation, 
there  arc  some  important  differences.  Firstly,  in  the  cate¬ 
gory  of  topological  spaces,  the  free  magnitude  algebra  over 
one  generator  is  the  interval  [0,  oc]  with  the  topology  of 
lower  semicontinuity  rather  than  the  Euclidean  topology. 
Indeed,  the  infinitary  summation  operation  is  not  continu¬ 
ous  with  respect  to  the  Euclidean  topology.  Secondly,  in 
general,  the  Dcdckind  or  Cauchy  [0,  oo]  intervals  in  an  el¬ 
ementary  topos  arc  not  magnitude  algebras,  let  alone  free 
ones,  as  there  arc  toposcs,  such  as  Johnstone’s  topological 
topos  [17],  in  which  these  objects  do  not  support  the  sum¬ 
mation  operation. 

Motivated  by  the  stream  implementations  of  real  num¬ 
bers,  Pavlovic  and  Pratt  [29]  consider  coalgebraic  defini¬ 
tions  of  the  reals.  However,  they  do  not  make  connections 
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with  the  computational  and  geometrical  requirements  dis¬ 
cussed  above.  Peter  Freyd  [12]  considers  a  more  geomet¬ 
rical  coalgebraic  approach.  In  fact,  he  also  places  empha¬ 
sis  on  midpoint  algebras,  although  the  midpoint  operation 
is  derived  rather  than  primitive.  His  approach  does  appear 
to  have  some  computational  content,  but  this  has  yet  to  be 
elaborated. 

2  Convex  bodies  and  interval  objects 

This  section  presents  the  main  definitions  of  this  paper, 
the  notions  of  abstract  convex  body  and  interval  object. 

As  discussed  in  the  introduction,  we  define  the  interval 
as  the  free  convex  body  over  two  generators.  To  do  this, 
we  require  an  abstract  notion  of  convex  body  that  makes 
no  reference  to  real  numbers.  We  achieve  this  by  viewing 
convex  bodies  as  algebraic  structures. 

The  algebraic  structure  we  identify  is  that  associated 
with  the  basic  ruler-and-compass  construction  of  bisecting  a 
line.  Given  two  points  in  a  convex  body  A,  this  construction 
finds  the  point  midway  between  them.  It  thus  corresponds 
to  a  binary  midpoint  operation  m  :  A  x  A  A.  We  begin 
by  axiomatizing  the  equational  properties  of  such  midpoint 
operations. 

Let  C  be  a  category  with  finite  products. 

Definition  2A  (Midpoint  algebra)  A  midpoint  algebra 
in  C  is  a  pair  {A,m),  where  A  x  A  ►  A  is  any  mor¬ 
phism,  satisfying: 

1.  m{x,x)  =  X  (idempotency) 

2.  m{x,y)  =  Tn{y,x)  (commutativity) 

3.  m{m{x,y),m{z,w))  —  m{m{x,  z),m{y,w)) 

(transposition) 

A  midpoint  algebra  is  said  to  be  cancellative  if  it  satisfies: 

4.  m{x,  z)  =  m{y,  z)  implies  x  =  y  (cancellation) 

A  homomorphism  from  (A,m)  to  (A',m')  is  a  morphism 
A  — ^  A'  such  that  f{m{x,y))  =  m'{f{x),f{y)).  We 
write  MidAlg{C)  for  the  category  of  midpoints  algebras  and 
their  homomorphisms. 

In  order  to  understand  such  ordinary  algebraic  notation  in  an 
arbitrary  category  with  finite  products,  the  variables  must 
be  interpreted  as  generalized  elements.  Thus,  for  exam¬ 
ple,  the  homomorphism  equation  states:  for  all  general¬ 
ized  elements  x,y  :  Z - ►  A  (where  Z  is  any  object), 

f  oTno{x,y)  =  m' o(^f  ox,  foy).  In  this  case,  the  condition 
simplifies  to  the  (unquantified)  equation  fo-rn  =  mo  (/X/). 

The  equations  of  midpoint  algebras  are  not  new.  For  ex¬ 
ample,  they  have  appeared  as  the  axioms  of  medial  means  in 


the  work  of  Kermit  [20].  They  have  also  recently  been  pop¬ 
ularized  by  Peter  Freyd  in  his  investigations  of  (co)algebraic 
properties  of  the  interval  [12]. 

Example  2.2  The  set  E"  is  a  cancellative  midpoint  algebra 
under  the  function  ©  :  x  R”  ->•  E"  defined  by 

x©y  =  (x-l-y)/2. 

This  yields  a  whole  range  of  cancellative  midpoint  algebras 
given  by  subsets  ACE"  closed  under  ©.  We  call  such 
midpoint  algebras  standard  midpoint  subalgebras  of  E" . 
Examples  are:  the  set  of  dyadic  rational  points;  the  set  of 
rational  points;  the  set  of  algebraic  points;  any  convex  set. 

These  examples  show  that  the  midpoint  axioms  are  still 
far  from  capturing  the  full  power  of  convexity,  which  re¬ 
quires  one  to  be  able  to  fill  in  an  entire  connected  line  be¬ 
tween  any  two  points.  Intuitively,  we  need  to  express  some¬ 
thing  like  a  notion  of  Cauchy  completeness  for  midpoint  al¬ 
gebras.  However,  Cauchy  completeness  itself  cannot  be  the 
appropriate  notion,  as  midpoint  algebras  do  not  necessarily 
carry  a  metric  structure.  More  fundamentally,  we  cannot 
use  the  notion  of  metric  space  to  define  the  interval,  be¬ 
cause  axiomatizing  metric  spaces  already  begs  the  question 
of  what  the  real  numbers  are.  Instead,  we  need  a  method 
of  axiomatizing  the  completeness  of  midpoint  algebras  in 
terms  of  their  algebraic  structure  alone. 

Consider  an  arbitrary  sequence  of  points  Sq,  xi , . . .  in  an 
ordinary  Euclidean  convex  body  A.  Let  z  be  any  point  of  A 
and  consider  the  derived  sequence 

m{xo,z),  m{xo,Tn{xi,z)),  m{xo,m{xi,m{x2,z))),  ... 

If  A  is  bounded  then  this  is  a  Cauchy  sequence  whose 
unique  limit  point  lies  in  A  and  is  independent  of  z. 
Thus,  any  sequence  xo,Xi, . . .,  determines  a  unique  point 
m{xo,m{xi,m{x2, . .  ■)))  obtained  by  infinitely  iterating 
the  binary  operation  m  over  the  sequence.  Our  notion  of 
completeness  for  a  midpoint  algebra  A  is  to  ask  that  such 
infinite  iterations  always  exist. 

In  the  category  of  sets,  such  a  requirement  can  be  ex¬ 
pressed  directly,  albeit  clumsily — see  Proposition  3.1.  Re¬ 
markably,  there  is  a  very  concise  formulation  in  purely  cat¬ 
egorical  terms.  Infinite  sequences  of  elements  of  A  are  nat¬ 
urally  expressed  using  coalgebras  for  the  functor  (A  x  (-)), 

i.e.  morphisms  of  the  form  {h,  f)  :  X  - ►  Ax  X.  Indeed, 

any  such  coalgebra  determines  an  object  X  of  sequences 
of  elements  of  A,  as  specified  by  the  head  and  tail  maps 

h  :  X - ►  A  and  t  :  X - ►  X  respectively.  We  can 

now  state  the  property  of  being  able  to  iterate  the  midpoint 
operation  m  over  any  sequence  so  specified. 
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Definition  2.3  (Iterative  algebra)  A  midpoint  algebra 
{A,m)  is  iterative  if  it  satisfies  the  iteration  axiom:  for 

every  map  A"  — ^  A  x  A,  there  exists  a  unique  A"  A 
such  that  the  diagram  below  commutes. 


A  X  A 


id  X  u 


A  X  A 


c 


m 


Example  2.6  Let  A  be  any  bounded  convex  subset  of  E" 
endowed  with  the  Euclidean  topology.  Then  ©  also  ex¬ 
hibits  A  as  a  convex  body  in  the  category  Top  of  topo¬ 
logical  spaces.  Indeed,  given  any  continuous  (A  x  (— ))- 
coalgebra  {h,  t)  :  X  ^  A  x  X  (where  A  is  any  space), 
the  function  u  defined  in  (1)  is  again  the  unique  map  re¬ 
quired  by  the  iteration  axiom.  The  interesting  fact  here  is 
that  u  is  continuous.  This  example  will  be  expanded  upon 
in  Section  8. 


A - -  A. 

u 

In  other  words,  {A,m)  is  iterative  if,  for  any  coalgebra 
c  —  {h,t)  '■  X  - ►  A  X  A,  there  exists  a  unique  u  satis¬ 

fying  u(3:)  =  rn{h{x),u{t{x))). 

The  above  definition  states  that  a  midpoint  algebra 
(A,7n)  is  iterative  if  it  is  final  as  an  (A  x  (— ))-algebra 
with  respect  to  coalgcbra-to-algcbra  homomorphisms  from 
(A  X  (— ))-coalgebras.  Interestingly,  the  dual  notion  of  a 
coalgebra  being  initial  with  respect  to  arbitrary  algebras  has 
arisen  in  recent  work  of  Taylor  [31,  Section  6.3]  and  Eppen- 
dahl  [9]. 

We  arc  now  in  a  position  to  formulate  our  abstract  notion 
of  convex  body. 

Definition  2.4  (Abstract  convex  body)  An  abstract  con¬ 
vex  body  is  a  canccllativc  iterative  midpoint  algebra. 


As  motivated  in  the  introduction,  the  interval  will  be  de¬ 
fined  as  the  free  abstract  convex  body  over  two  generators. 
This  amounts  to  being  an  initial  object  in  a  suitable  category 
of  bipointed  convex  bodies. 

A  bipointed  convex  body  is  a  structure  (A,  m,  a,  b) 

where  (-4,m)  is  a  convex  body  and  a,b  :  1  - ►  A  are 

global  points.  Homomorphisms  between  bipointed  convex 
bodies  are  required  to  preserve  the  points  as  well  as  the  bi¬ 
nary  algebra  structure;  i.e.  /  :  A - ►  A'  is  a  homomor¬ 

phism  from  (A,  m,  a,  b)  to  (.4',  m',  o',  b')  if  and  only  if  it  is 
a  homomorphism  from  (.4,m)  to  {A',m')  and  o'  =  /  o  o 
and  b'  =  f  o  b.  We  write  BiConv{C)  for  the  category  of 
bipointed  convex  bodies  and  their  homomorphisms. 

We  can  now  give  the  main  definition  of  the  paper. 

Definition  2.7  (Interval  object)  An  interval  object  in  C  is 
an  initial  object  in  DiConv(C). 


We  henceforth  omit  the  word  abstract,  except  when  re¬ 
quired  to  avoid  confusion  due  to  alternative  notions  of 
convex  body  being  available  (for  example,  in  Euclidean 
space,  where  ordinary  convex  bodies  are  convex  sets  with 
nonempty  interior).  We  write  Conv{C)  for  the  full  subcate¬ 
gory  of  MidAl(j{C)  whose  objects  arc  convex  bodies. 


Example  2.8  In  Set,  any  closed  interval  [o,  6]  C  E,  with 
a  <  b,  gives  an  interval  object  ([n,  6],  ©,  n,  fo).  Of  course 
the  choice  of  a  and  b  makes  no  difference.  For  future  con¬ 
venience,  we  take  the  interval  I  =  [—1,1]  as  our  standard 
closed  interval  and  (E,  9),  —1, 1)  as  our  standard  interval  ob¬ 
ject.  This  example  is  discussed  in  more  detail  in  Section  3. 


Example  2.5  Continuing  from  Example  2.2,  any  bounded 
convex  subset  of  E",  considered  as  a  standard  midpoint 
subalgebra  of  E"  ,  is  an  abstract  convex  body.  Indeed,  given 
functions  h  :  X  A  and  t  :  X  ^  X,  where  A"  is  any 
set,  the  unique  function  n  :  X  — >  A  determined  from  the 
coalgebra  {h,  <)  ;  A  — >  A  x  A'  by  the  iteration  axiom  is 

u{x)  =  ^2-('  +  '>/i(f'(.T)).  (I) 

i>0 

An  important  point  is  that  the  boundedness  of  A  is  crucial 
for  u  to  be  well-defined.  In  fact,  a  standard  midpoint  subal- 
gebra  of  E"  is  an  abstract  convex  body  if  and  only  if  it  is  a 
bounded  convex  subset  of  E"  ;  and,  given  a  bounded  convex 
subset  B  of  M"' ,  a  function  /  :  A  ->  Z?  is  a  homomorphi.sm 
of  abstract  convex  bodies  (i.e.  a  homomorphism  w.r.t.  ©)  if 
and  only  if  it  is  affine.  See  Section  3  for  details. 


Example  2.9  In  Top,  (E,  ©,  —  1, 1)  is  again  an  interval  ob¬ 
ject  when  E  is  equipped  with  the  Euclidean  topology.  This 
is  discussed  further  in  Section  8. 

3  Interval  objects  in  the  category  of  sets 

In  this  .section  we  study  abstract  convex  bodies  in  the 
category  Set  of  sets,  and  we  show  that  the  interval  object 
in  Set  is  indeed  (E,  ©,-l,  1),  as  claimed  in  Example  2.8. 

The  least  familiar  aspect  of  the  definition  of  convex  body 
is  the  notion  of  iterative  algebra.  We  begin  by  showing  that, 
in  Set,  iterative  algebras  are  exactly  algebras  supporting  an 
additional  operation  of  countably-infinite  arity  that  satisfies 
certain  characterising  properties  relating  it  to  the  binary  op¬ 
eration.  In  general,  this  reformulation  provides  the  most 
straightforward  method  of  showing  that  an  algebra  is  itera¬ 
tive. 
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Proposition  3.1  Let  (A,  m)  be  a  midpoint  algebra  in  Set. 

1.  {A,  m)  is  iterative  if  and  only  if  there  exists  a  function 

M  :  — >•  A  satisfying: 

(a)  M{xo,xi,X2,...)  =  m{xo,M{xi,X2,X3,. . .)) 

(b)  If  yo  =  m{xo,yi),  yi  =  m{xi,y2),  y2  = 
m{x2,y3).  ...then  yo  =  M{xo,xi,X2,.  ■  ■)■ 

Moreover  if  (A,  m)  is  iterative  then  there  is  a 
unique  M  satisfying  (a). 

2.  If  {A,  m)  and  {A',m')  are  iterative  midpoint  algebras 
then  any  homomorphism  f  :  A  A'  is  also  a  homo¬ 
morphism  with  respect  to  the  associated  infinitary  M 
and  M' ;  i.e.for  every  sequence  Xo,Xi, . . 

f{M{xQ,xi,...))  =  M'{f{xo),f{xi),...). 

With  an  appropriate  reformulation,  the  above  proposition 
generalizes  from  the  category  of  sets  to  any  category  with 
finite  products  and  a  parameterized  natural  numbers  objects. 

It  is  useful  to  identify  additional  equational  properties 
satisfied  by  the  the  associated  infinitary  operations.  We  use 
Mfxi)  as  a  shorthand  for  M{xo,xi,X2,  ■  ■  •)■ 

Proposition  3.2  For  any  iterative  midpoint  algebra  (^4,  m) 
in  Set,  with  infinitaty'  M  :  .4“  ->  A, 

1.  X  =  M{x,  x,x,. . .), 

2.  ni{x,y)  =  M{x,y,y,y,...), 

3.  MfMjixij))  =  MjiMfxji)), 

4.  Mi{m{xi,yi))  =  m{Mi{xi),Mi{yi)). 

For  an  iterative  midpoint  algebra  to  be  a  convex  body  it 
must  also  be  cancellative.  We  have  yet  to  see  any  techni¬ 
cal  consequence  of  this  property.  In  fact,  for  iterative  mid¬ 
point  algebras,  cancellation  is  equivalent  to  an  important 
approximation  property.  To  formulate  this,  we  write  m„ 
for  the  (n  -I-  l)-ary  operation  defined  by  mo{x)  =  x  and 
mn{xo,. .  ■  ,Xn)  =  m{xo,mn-i{xi,...,Xn))  fot  n  >  1. 
Thus  mi  is  just  m  itself. 

Proposition  3.3  For  an  iterative  midpoint  algebra  {A,  m) 
in  Set,  the  following  are  equivalent. 

1.  (A,  m)  is  cancellative. 

2.  The  associated  M  :  A"^  ^  A  satisfies  the  following 
approximation  property. 

If  for  all  n  >  0,  there  exist  z„,iVn  €  A  such  that 

mn{xo,  ■ .  .,Xn-i,Zn)  =  m„(t/o,-  •  •  ,2/n-i,w„)  then 

M{xo,xi,...)  =  M{yo,yi,...). 


This  is  far  from  immediate  and  is  used  crucially  in  the  proof 
of  Theorem  1. 

Having  obtained  a  good  understanding  of  what  the  dif¬ 
ferent  aspects  of  the  definition  of  convex  body  mean  in  Set, 
we  return  to  Examples  2.5  and  2.8. 

Proposition  3.4  If  A  is  a  standard  midpoint  subalgebra 
£>/E",  then  A  is  an  abstract  convex  body  if  and  only  if  it 
is  a  bounded  convex  subset  ofW . 

Suppose  A  C  E"  and  A'  C  E™  are  convex  sets.  Recall 
that  a  function  f  :  A  A'  said  to  be  affine  if  it  preserves 
so-called  convex  combinations,  i.e.,  for  Ai , . . . ,  A*;  G  [0, 1] 
with  Y!i^i  =  1- 

k  k 

/(^AiXi)  =  ^Ai/(xi). 

The  next  proposition  demonstrates  the  naturalness  of  homo- 
morphisms  between  abstract  convex  bodies. 

Proposition  3.5  For  bounded  convex  sets  ACE"  and 
A'  C  S'",  a  function  f  :  A  A'  is  affine  if  and  only  if 
it  is  a  homomorphism  with  respect  to  ©. 

An  example  due  to  Peter  Freyd  [12],  which  uses  the  ax¬ 
iom  of  choice,  can  be  used  to  show  that  the  boundedness 
assumption  is  essential  for  Proposition  3.5  to  hold. 

Theorem  1  (I,  ©,  — 1, 1)  is  an  interval  object  in  Set. 

4  Parameterized  interval  objects 

It  is  well  known  that  Lawvere’s  elegant  definition  of  a 
natural  numbers  object,  which  works  very  well  in  cartesian 
closed  categories,  is  not  powerful  enough  in  categories  with 
weaker  structure.  Instead,  a  modified  parameterized  defini¬ 
tion  is  needed  [21,7],  In  a  category  with  finite  products,  the 
notion  of  parameterized  natural  numbers  object  supports  the 
definition  of  functions  by  primitive  recursion.  Moreover,  in 
a  cartesian  closed  category,  any  ordinary  natural  numbers 
objects  is  automatically  parameterized.  Much  the  same  sit¬ 
uation  arises  for  interval  objects. 

Definition  4.1  (Parameterized  interval  object)  A  param¬ 
eterized  interval  object  is  a  bipointed  convex  body 
(/,©,— 1,1)  such  that,  for  any  convex  body  (A,m)  and 
morphisms  X  — ^  A  and  X  — ^  A  in  C,  there  exists 
a  unique  morphism  A'’  x  I  4  satisfying 

<lf,9]){x,y®z)  =  m{llf,g]j{x,y),  llf,g]i{x,z)), 

=  fix), 

([/,ff])(a;,  1)  =  g{x), 

i.e.  there  is  a  unique  right-homomorphism  of  bipointed  con¬ 
vex  bodies  from  A  x  7  to  A. 
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By  instantiating  X  to  the  terminal  object,  it  is  easily  seen 
that  any  parameterized  interval  object  is  indeed  an  interval 
object.  The  converse  holds  when  C  is  cartesian  closed: 

Proposition  4.2  If  C  is  cartesian  closed  then  any  interval 
object  is  parameterized. 

Henceforth  in  this  section,  let  C  be  a  category  with  finite 
products  and  parameterized  interval  object  (/,  ©,-1,1). 
The  basic  arithmetic  operations  on  I  can  be  defined  by 

1  —  /  =  (-1)©(1), 

/—  /  =  ([1,-1]), 

/X/—/  =  (I-,id;]). 

More  explicitly,  the  above  defines  multiplication  as  the 
unique  morphism  I  x  I  I  satisfying 

X  X  {y  S)  z)  =  {x  X  y)  ®  {x  X  z), 

X  X  (-1)  =  -X, 

X  x\  =  X. 

Importantly,  the  universal  properly  of  I,  stated  in  Defi¬ 
nition  4.1,  suffices  to  establish  the  basic  equations  between 
the  above  operations. 

Proposition  4.3 - x  =  x, 

X  xy  =  y  X  X, 

X  X  {y  X  z)  =  {x  X  y)  X  z, 

-0  =  0, 

X  ©  -X  =  0, 

-{x®y)  =  (-x)  ©  (-y), 

x  X  0  =  0, 

X  X  —y  =  —  (.r  X  y). 

The  most  entertaining  proof  is  that  of  the  commutativity  of 
multiplication. 

5  Primitive  interval  functions 

In  this  section  we  give  some  preliminary  results  on  the 
power  of  the  notion  of  interval  object  with  respect  to  defin¬ 
ing  functions  on  the  interval.  As  mentioned  above,  any  pa¬ 
rameterized  natural  numbers  object  supports  definition  by 
primitive  recursion.  Here  we  investigate  the  definitional 
mechanisms  supported  by  parameterized  interval  objects. 

In  fact,  a  parameterized  interval  object  supports  two 
complementary  styles  of  definition.  On  the  one  hand, 
the  universal  property  of  parameterized  initiality  gives  one 
mechanism  for  defining  functions,  used  above  to  define 
negation  and  multiplication.  On  the  other,  the  couniver- 
sal  property  of  the  iteration  axiom  supports  another  type  of 
definition,  needed,  for  example,  to  define  non  dyadic  ra¬ 
tional  numbers.  Parameterized  interval  objects  allow  any 


combination  of  these  two  styles.  We  investigate  the  power 
of  such  combinations  for  the  purpose  of  defining  functions 
on  I  in  Set. 

Definition  5.1  (Primitive  interval  functions)  The  primi¬ 
tive  interval  functions  on  I  arc  the  functions  in  the  smallest 
family  {J",,  C  I"  — >■  II}„>o  satisfying: 

(i)  -l,le  Jo. 

(ii)  If  /  €  J”,,,  and  cji,. . .  ,y,„  G  then  the  composite 
f  ^  idi  f  •  •  •  1  9m  )  ^  J ri . 

(iii)  If  /,  y  G  J”,,  then  the  function  h  defined  below  is  in 

=  ^(1 -2/)/(x)  +  ^(1 -f  y)y(x). 

(iv)  U  fi, . . . ,  f„.g  G  !F,i  then  the  unique  function  li  satis¬ 
fying  the  equation  below  is  in  !F„: 

K^)  =  ^.9(x)  +  i/((/i(x),...,/„(x)). 

Here  (iii)  corresponds  to  the  parameterized  initiality  of  II, 
with  respect  to  I"  as  the  object  of  parameters,  and  (iv)  cor¬ 
responds  to  the  iteration  axiom,  as  induced  by  the  coalge¬ 
bra  {9,  fu  ■  ■ . ,  fn)  :  I"  — >  I  X  I".  Note  that  property  (ii) 
means  that  tuples  of  primitive  interval  functions  between  fi¬ 
nite  powers  of  II  form  a  category.  This  category  has  finite 
products  because  the  projections  arc  definable,  using  (iii). 
The  function  defined  by  (iv)  is  given  explicitly  by 

b(x)  =  ^2-<'+')fy((/,,...,/„)’(x)). 

i>0 

A  natural  generalization  is  to  replace  the  sequence 
°  (/i  :•••! /»)')(  of  composite  functions  with  an  arbi¬ 
trary  sequence  of  (already  defined)  n-ary  functions. 

Definition  5.2  (Countably-primitive  functions)  The 

countahly-primitive  interval  functions  on  I  arc  the  func¬ 
tions  in  the  smallest  family  {J",,  C  I" ->  I}„>ci  satisfying 
(i)-(iii)  of  Definition  5.1  and  also 

(iv)'  Given  /n,/i,  ■  ■  •  G  J,i,  the  function  h  defined  below 
is  in  Tn  '. 

h{x)  =  ;^2-<'+'>/,(x). 

i>0 

Clearly  every  primitive  interval  function  is  a  countably- 
primitive  interval  function.  The  converse  docs  not  hold 
as  there  arc  continuum  many  countably-primitive  inter¬ 
val  functions,  but  only  countably  many  primitive  interval 
functions.  Indeed,  every  element  of  I  gives  a  countably- 
primitive  interval  function  of  arity  0  (i.e.  a  constant).  Al¬ 
though  this  cannot  hold  for  the  primitive  interval  functions, 
we  do  at  least  have  the  following. 
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Proposition  5.3  Every  rational  in  II  gives  a  primitive  inter¬ 
val  constant. 

The  proof  makes  crucial  use  of  property  (iv). 

As  in  Section  4,  we  have  0,  — ,  x  as  primitive  interval 
functions.  Thus  every  n-variable  0-polynomial  (i.e.  poly¬ 
nomial  where  0  replaces  the  usual  +)  with  rational  coeffi¬ 
cients  is  an  n-ary  primitive  interval  function. 

We  are  not  sure  how  much  further  definability  can  be 
pushed  with  the  primitive  interval  functions,  as  we  now 
show  that  even  the  countably-primitive  interval  functions 
are  very  limited. 

Proposition  5.4  If  f  is  an  n-ary  countably-primitive  in¬ 
terval  function,  and  Xq,  . . . ,  x„_i ,  r/o,  ■  •  • ,  Vn-i  6  I  are 
such  that  Pi  =  Xi  whenever  Xi  G  {  —  1,1},  then 
/(xo,...,x„_i)  e  {-1,1]  implies  f{yo,...,yn-i)  = 

f  {XQ,  .  .  .  ,  ). 

This  is  proved  by  induction  over  the  defining  properties  of 
the  countably-primitive  interval  functions. 

Thus  if  /  is  a  unary  countably-primitive  interval  function 
and  f{x)  €  {-1, 1}  for  some  x  in  the  interior  (-1, 1)  then 
/  is  a  constant  function.  Clearly  then,  the  following  trun¬ 
cated  double  function  is  not  a  countably-primitive  interval 
function. 

(  1  ifl/2<x, 

d{x)  =  <  2x  if -1/2  <  X  <  1/2, 

[  -1  ifx  <  -1/2. 

Accordingly,  define  the  d-primitive  interval  functions  to  be 
the  smallest  class  of  functions  containing  d  and  closed  un¬ 
der  (i)-(iv).  Define  the  countably-d-primitive  interval  func¬ 
tions  analogously.  The  reason  for  selecting  d  amongst  the 
non-countably-primitive  interval  functions  is; 

Proposition  5.5  The  n-ary  countably-d-primitive  interval 
functions  are  exactly  the  continuous  functions  I"  I. 

The  proof  uses  the  Stone- Weierstrass  approximation  theo¬ 
rem  [30]. 

Thus  including  d  as  a  basic  function  enormously  in¬ 
creases  definability.  It  is  our  hope  that  this  increase  in  de¬ 
finability  also  means  that  the  d-primitive  interval  functions 
form  a  useful  class,  somewhat  analogous  to  the  primitive 
recursive  functions  on  N.  Although  we  have  yet  to  under¬ 
take  any  systematic  investigation  of  this  class,  we  do  have 
one  important  result.  Recall  the  standard  notion  of  an  n-ary 
computable  function  on  I  [34]. 

Proposition  5.6  Every  n-ary  d-primitive  interval  function 
is  an  n-ary  computable  function  on  I. 

This  result  follows  from  Theorem  3  of  Section  9  below, 
by  interpreting  it  in  a  realizability  topos  in  which  the  mor- 
phisms  on  the  interval  are  exactly  the  computable  functions. 


However,  in  the  next  section,  we  outline  a  direct  proof,  by 
showing  that  the  computable  functions  are  closed  under  the 
defining  properties  of  the  d-primitive  interval  functions. 

6  An  interval  data  type 

In  Proposition  3.1,  we  have  seen  that,  in  the  category  of 
sets,  the  iteration  axiom  is  captured  by  the  existence  of  an 
infinitary  version  M  of  the  midpoint  operation  m.  More¬ 
over,  a  function  of  convex  bodies  is  a  homomorphism  with 
respect  to  m.  if  and  only  if  it  is  a  homomorphism  with  re¬ 
spect  to  M.  Additionally,  Proposition  3.2  shows  that  m  is 
easily  defined  from  M.  This  suggests  that  one  might  con¬ 
sider  the  w-ary  operation  M  as  the  primitive  algebraic  op¬ 
erator  on  convex  bodies,  rather  than  m.  In  this  section,  we 
exploit  this  idea  to  base  a  data  type  for  the  interval  I  on  the 
term  algebra  of  an  w-ary  operation  M  and  two  constants  - 1 
and  1. 

We  outline  an  implementation  using  a  functional  pro¬ 
gramming  notation  similar  to  ML  [28]  and  Haskell  [1]  (it 
is  not  important  whether  an  eager  or  lazy  language  is  used). 
Our  data  type  I  is  defined  as  follows. 

datatype  I  =  -1  |  1  |  M  of  Nat  ->  I 

Within  the  interval  type  I,  we  single  out  the  w-branching 
well-founded  trees  as  those  data  elements  representing 
points  of  the  interval.  Such  trees  are  precisely  the  elements 
of  the  term  algebra  mentioned  above.  To  interpret  a  tree  as 
representing  an  element  of  I,  the  infinitary  operator  M  is 
interpreted  as  the  iterated  midpoint  operation 

00 

M(X0,Xi,X2,...)  =  ^2“(’+^)x.j, 
i=0 

using  which  any  w-branching  well-founded  tree  evaluates  to 
a  unique  point  in  L  Thus,  by  this  interpretation,  I  is  given  as 
a  quotient  of  the  set  of  all  w-branching  well-founded  trees. 

The  iteration  axiom  of  Definition  2.3,  in  the  concrete 
form  given  in  Example  2.5,  corresponds  to  the  following 
corecursion  combinator. 

corec  :  (X  ->  I)  ->  (X  ->  X)  ->  (X  ->  I) 

corec  h  t  X  =  M  (\i  ->  h(t“i(x))) 

In  this  definition,  \i->t  is  typewriter  notation  for  the 
lambda  expression  Xi.t  and  we  use  the  evident  notation  for 
function  iteration. 

The  initiality  of  I,  as  in  Definition  2.7,  is  exhibited  by  the 
following  recursion  combinator. 

rec  :  ((Nat  ->  A)  ->  A)  ->  A  ->  A  ->  (I  ->  A) 

rec  Nab  -1  =  a 

rec  Nab  1  =  b 

rec  Nab  (M  s)  =  N  (\i  ->  rec  Nab  (si)) 
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In  this  definition,  the  first  argument  N  is  the  infinitary  mid¬ 
point  operation  of  a  given  bipointed  convex  body  A,  and  the 
second  and  third  arguments  a  and  b  are  the  distinguished 
points.  We  have  not  built  any  explicit  type  of  parameters 
into  the  type  of  rec,  because  parameterization  is  induced 
automatically  by  the  functional  language.  For  example, 
negation  and  multiplication  are  defined  as  in  Section  4,  us¬ 
ing  the  recursion  combinator. 

neg  :  I  ->  I 
neg  =  rec  M  1  -1 

mul  :  I  ->  I  ->  I 

mul  X  =  rec  M  (neg  x)  x 

The  recursion  and  corecursion  combinators  correspond  to 
conditions  (iii)  and  (iv)  of  Definition  5.1  respectively.  The 
truncated  double  function  can  also  be  implemented  using 
the  datatype  I,  but  this  is  surprisingly  tricky.  However,  cu¬ 
riously,  an  algorithm  for  doing  this  occurs  fairly  explicitly 
in  our  (omitted)  proof  of  Theorem  3  below.  It  follows  that 
the  d-primitive  interval  functions  arc  definable  on  our  inter¬ 
val  data  type  I. 

Because  we  are  using  a  non-standard  representation  of 
the  interval,  based  on  the  infinitary  midpoint  operation,  it  is 
important  to  show  that  our  representation  is  interconvertible 
with  the  standard  representations  used  in  exact  real  number 
arithmetic.  One  such  representation,  signed  binary,  uses 
a  data  type  I '  of  infinite  sequences  of  the  three  digits  -1, 
0  and  1 — sec  [35].  It  is  trivial  to  convert  from  signed  bi¬ 
nary  sequences  to  our  representation  I,  using  the  facts  that 
0  =  M{  —  1, 1, 1,1,.. .)  and  that  a  signed  binary  expansion 
O.dodid2 ...  is  the  same  as  M{do,di,d2, . .  ■).  To  translate 
in  the  other  direction,  one  first  defines  the  iterated  midpoint 
operation  M'  :  {Nat->I '  ) ->I '  (an  interesting  program¬ 
ming  exercise),  and  then  the  conversion  function  I->I '  is 
simply  rec  M'  (\i  ->  -1)  {\i  ->  1). 

Although  we  have  written  this  section  using  a  functional 
language  with  general  recursion,  we  remark  that  our  rep¬ 
resentation  of  the  interval  can  be  implemented  even  more 
directly  using  intuitionistic  type  theory  [25].  Indeed,  by  for¬ 
mulating  the  recursive  definition  of  the  data  type  I  as  a  W- 
type,  one  obtains  precisely  the  well-founded  w-branching 
trees  over  —1  and  1,  and  our  recursion  combinator  is  sim¬ 
ply  the  rccursor  for  this  type. 

7  Basic  categorical  properties 

In  this  section,  we  turn  our  attention  to  general  proper¬ 
ties  of  convex  bodies  and  interval  objects  arising  from  their 
categorical  definitions.  This  general  investigation  will  be 
useful  in  Sections  8  and  9,  in  which  we  study  examples  in 
categories  other  than  Set. 

One  benefit  of  having  simple  abstract  definitions  of  con¬ 
vex  body  and  interval  object  is  that  it  is  easy  to  prove  that 


these  notions  are  preserved  by  various  categorical  construc¬ 
tions  and  functors.  In  this  section,  we  state  basic  results  of 
this  nature.  The  proofs  are  all  routine. 

As  in  Section  2,  let  C  be  a  category  with  finite  products. 

Proposition  7.1  The  forgetful  functors  Conv{C)  — >  C  and 
BiConv{C)  — >  C  create  limits. 

In  particular,  if  {A,  m)  and  [A'  ,m')  arc  convex  bodies  then 
so  is  A  X  A'  endowed  with 

(Ax.4')x(AxA')  ^  (.4x.4)x(A'xA')  Ax  A' 

and  an  analogous  statement  holds  for  bipointed  convex  bod¬ 
ies.  One  simple  consequence  of  this  result  is  that,  for  any 
interval  object  (7,0,  a,  6),  the  n-dimcnsional  cube  7"  has 
an  induced  convex  body  structure. 

As  well  as  being  closed  under  limits,  convex  bodies  arc 
also  closed  under  internal  powers. 

Proposition  7.2  If  [A,  m)  is  a  convex  body  then  so  is 

{A^,  A^  X  A®  —  (A  X  A)®  A®) 

for  any  exponentiable  object  B. 

Again,  the  analogous  result  holds  for  bipointed  convex  bod¬ 
ies. 

It  is  also  straightforward  to  establish  conditions  under 
which  (bipointed)  convex  bodies  arc  preserved  by  functors. 
Suppose  X>  is  a  category  with  finite  products,  and  the  func¬ 
tor  F  ;  C  — J-  P  preserves  finite  products.  Then  there  is  a 
functor  F  :  MidAlg{C)  — >  MidAlg{'D)  whose  action  on 
objects  is: 

F(A,  rn)  =  (FA,  FA  x  FA  F(A  x  A)  FA) 
and  whose  action  on  morphisms  is  inherited  from  F. 
Proposition  7.3  Suppose  that  F  has  a  left  adjoint. 

1.  The  functor  F  :  MidAlg{C)  — >■  MidAlg{'D)  cuts  down 
to  a  functor  F  :  Conv{C)  ->  Conv{V).  Similarly, 
by  extending  the  action  of  F  to  bipointed  objects,  a 
functor  F  :  BiConv[C)  — >  BiConv{V)  is  obtained. 

2.  If  F  :  C  — >  P  also  has  a  right  adjoint  G  :  V  ^  C 
then  G  :  Conv{'D)  Conv{C)  is  right  adjoint 
to  the  functor  F  :  Conv{C)  — >  Conv{D),  and 
G  :  BiConv{'D)  — >  BiConv{C)  is  right  adjoint  to 
F  :  BiConv{C)  BiConv{D).  Thus,  in  particular, 
F  :  C  ^  V  preser\'es  interval  objects. 

It  follows  from  I  above  that  if  C  is  a  full  reflective  sub- 
category  of  P  and  if  P  has  an  interval  object  (7,  d),  —1, 1) 
where  7  is  an  object  of  C  then  (7,  0,  —1, 1)  is  also  an  inter¬ 
val  object  in  C. 
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A  special  case  of  statement  2  is  that  interval  objects  are 
preserved  by  the  inverse  image  functors  of  essential  ge¬ 
ometric  morphisms  between  elementary  toposes.  Thus  if 
/:£->£■'  is  an  essential  geometric  morphism  and  £'  has 
an  interval  object  then  its  image  under  /*  gives  an  interval 
object  in  £.  In  particular,  by  Theorem  1,  every  presheaf 
topos  Set^  "  has  an  interval  object  obtained  as  A(]I)  —  re¬ 
call  that  the  constant  presheaf  functor,  A  :  Set  ->  Set*'”'’, 
is  the  inverse  image  functor  of  an  essential  geometric  mor¬ 
phism  [24],  More  generally,  in  Section  9,  we  show  that  any 
elementary  topos  with  natural  numbers  object  has  an  inter¬ 
val  object. 

8  Interval  objects  in  the  category  of 
topological  spaces 

In  this  section  we  return  to  the  claims  made  earlier  in  Ex¬ 
amples  2.6  and  2.9,  investigating  abstract  convex  bodies  and 
interval  objects  in  the  category  Top  of  topological  spaces. 

Proposition  3.1  generalizes  to  Top  with  the  requirement 
that  M  :  A"  — >  A  be  continuous  with  respect  to  the  product 
topology.  It  follows  that,  for  a  bounded  convex  A  C  E",  the 
midpoint  algebra  {A,  ©)  with  the  discrete  topology  is  not  an 
abstract  convex  body  in  Top  ,  because  this  topology  does 
not  make  the  iterated  midpoint  operation  into  a  continuous 
function.  Thus  the  notion  of  abstract  convex  body  forces 
one  to  consider  more  reasonable  topologies  on  (,4,  ©). 

Proposition  8.1  For  any  bounded  convex  subset  A  C  E” 
endowed  with  the  Euclidean  topology,  (.4,  ©)  is  an  abstract 
convex  body  in  Top. 

This  result  is  derived  from  Proposition  3.4,  by  proving  that 
the  infinitary  midpoint  operation  is  continuous.  Certain 
other  basic  information  about  convex  bodies  in  Top  can 
be  inferred  using  Proposition  7.3.  The  forgetful  functor 
U  :  Top  — >  Set  has  both  a  left  adjoint  A  (giving  the 
discrete  topology)  and  a  right  adjoint  V  (giving  the  indis¬ 
crete  topology).  Thus,  both  U  and  V  preserve  convex  bod¬ 
ies.  As  U  does,  we  see  that,  by  Proposition  3.4,  under  any 
topology  whatsoever,  for  a  standard  midpoint  subalgebra  A 
of  E"  to  be  a  convex  body  in  Top,  A  must  be  a  bounded 
convex  set.  Also,  for  any  bounded  convex  set,  {A,  ©)  with 
the  indiscrete  topology  is  a  convex  body  in  Top. 

Also,  by  Proposition  3.4,  if  an  interval  object  exists  in 
Top  then  U  preserves  it.  In  fact,  we  have  already  claimed  in 
Example  2.9  that  (I,  ©,  —1, 1)  is  an  interval  object  in  Top 
when  given  the  Euclidean  topology.  As  Top  is  not  cartesian 
closed,  it  is  appropriate  to  show  that  this  is  a  parameterized 
interval  object  in  the  sense  of  Section  4. 

Theorem  2  (I,  ©,  —1, 1)  with  the  Euclidean  topology  is  a 
parameterized  interval  object  in  Top. 


By  Proposition  7.3.1,  (I,  ©,-1,1)  with  the  Euclidean 
topology  is  a  parameterized  interval  object  in  any  full  reflec¬ 
tive  subcategory  of  Top  that  contains  the  closed  Euclidean 
interval.  Thus,  for  example,  it  is  a  parameterized  interval 
object  in  the  category  of  compact  Hausdorff  spaces. 

9  Interval  objects  in  an  elementary  topos 

In  this  section  we  prove  that  an  interval  object  exists  in 
any  elementary  topos  with  natural  numbers  object.  There 
are  at  least  two  reasons  to  be  interested  in  such  a  result. 
Firstly,  elementary  toposes  include  all  Grothendieck  and  re¬ 
alizability  toposes,  of  which  there  are  numerous  examples 
with  direct  geometrical  and/or  computational  significance. 
Indeed,  we  have  already  mentioned  that  the  results  of  this 
section  can  be  used  to  prove  Proposition  5.6. 

Our  second  motivation  is  to  study  the  notion  of  interval 
object  using  an  intuitionistic  background  logic.  It  is  well 
known  that  intuitionistic  logic  draws  sharp  distinctions  be¬ 
tween  different,  though  classically  equivalent,  definitions  of 
real  number.  To  better  understand  our  notion  of  interval  ob¬ 
ject,  we  compare  it  to  the  competing  intuitionistic  accounts 
of  the  interval.  Somewhat  surprisingly,  rather  than  obtain¬ 
ing  one  of  the  established  notions,  interval  objects  give  rise 
to  an  apparently  new  intuitionistic  notion  of  real  number, 
albeit  one  that  coincides  with  extant  notions  under  the  mild 
assumption  of  number-number  choice. 

Let  £  be  an  elementary  topos  with  natural  numbers  ob¬ 
ject  N.  Among  the  alternative  notions  of  real  number  avail¬ 
able,  two  are  considered  as  being  the  most  natural,  the 
Dedekind  reals  and  the  Cauchy  (or  Cantor)  reals  Rc. 
Both  are  defined  using  the  object  of  rationals  Q  and  its  as¬ 
sociated  ordering.  The  reader  is  referred  to  [16]  for  details. 

A  basic  fact  is  that  one  has  inclusions 

Q  C  Rc  C  Ro. 

We  say  that  a  subobject  X  C  R^,  is  Cauchy  complete 
if  every  Cauchy  sequence  in  (with  modulus)  has  a 
limit  in  X.  It  is  easy  to  see  that  the  Dedekind  reals 
are  Cauchy  complete.  Obviously,  the  rationals  are  not 
Cauchy  complete.  The  Cauchy  reals  partially  rectify  the 
non-completeness  of  Q  by  adding  all  limits  of  Cauchy  se¬ 
quences  of  rationals.  Given  N-N-choice,  this  suffices  to 
make  Rc  itself  Cauchy  complete.  However,  it  seems  that, 
in  general,  Rc  is  not  Cauchy  complete,  as,  given  a  Cauchy 
sequence  of  Cauchy  reals,  there  is  no  mechanism  for  se¬ 
lecting  representative  rational  sequences  from  which  the  re¬ 
quired  limiting  sequence  of  rationals  can  be  extracted. 

The  possible  failure  of  Cauchy  completeness  for  Rc 
makes  it  natural  to  introduce  another  object  of  reals,  namely, 
the  Cauchy  completion  ofQ  within  R/j.  This  object,  which 
we  call  the  object  of  Euclidean  reals  R^;,  is  defined  as  the 
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intersection  of  all  Cauchy  complete  subobjects  of  R/j  con¬ 
taining  the  rational  numbers. 

We  have  identified  three  objects  of  reals 

R-c  c  R-ij  ^  Rd- 

In  the  case  that  S  satisfies  N-N-choice,  both  inclusions  arc 
equalities.  The  Grothendieck  topos  of  sheaves  over  the  Eu¬ 
clidean  line  is  a  simple  example  in  which  the  second  inclu¬ 
sion  is  strict.  To  our  embarrassment,  we  do  not  know  an 
example  in  which  the  first  inclusion  is  strict.  Thus  we  do 
not  know  if  the  envisaged  failure  of  the  Cauchy  complete¬ 
ness  of  Rc  is  actually  possible — although  we  arc  sure  that 
it  must  be. 

Each  notion  of  real  number  object  determines  a  corre¬ 
sponding  notion  of  interval  object;  for  example, 

Id  =  {x  G  Rd  I -1  <  a:  <  1} 

I/i  =  {a;  G  Rb  I  — 1  <  a;  <  1}  =  Rb  n  Id- 

The  reason  for  introducing  the  Euclidean  reals  in  the  first 
place  is  the  following. 

Theorems  (Ig,  0,  —1, 1)  is  an  interval  object  in  S. 

Our  proof  is  very  long  and  makes  crucial  use  of  Pataraia’s 
intuitionistic  fixed-point  theorem  for  monotonic  endomaps 
of  directed  complete  partial  orders  [27]. 

10  Concluding  remarks 

We  have  provided  an  axiomatization  of  the  interval,  by 
means  of  a  geometrically  motivated  universal  property  that 
supports  the  definition  of  computable  functions.  Moreover, 
we  have  investigated  this  axiomatization  in  a  number  of  set¬ 
tings. 

Many  other  settings  remain  to  be  investigated.  In  tbc  cat¬ 
egory  of  setoids  over  intuitionistic  type  theory  [15,  26],  it 
can  be  shown  that  any  of  the  usual  constructions  of  a  closed 
real  interval  gives  an  interval  object.  In  the  category  of  lo¬ 
cales  over  any  topos,  we  conjecture  that  the  standard  localic 
interval  [18]  is  an  interval  object. 

By  definition,  an  interval  object  is  a  free  convex  body 
over  two  generators.  Freely  generated  convex  bodies  over 
different  generating  objects  coincide  with  other  familiar 
mathematical  structures.  Interesting  examples  occur  in  the 
category  of  topological  spaces:  ( 1 )  The  free  convex  body 
over  Sierpinski  space  is  the  interval  with  the  topology  of 
lower  semicontinuity.  (2)  The  free  convex  body  over  the  flat 
domain  of  booleans  under  the  Scott  topology  is  the  interval 
domain  studied  in  [II]  with  its  pointwisc  midpoint  struc¬ 
ture.  (3)  The  free  convex  body  over  a  finite  discrete  space  of 
cardinality  n  is  an  ti, -simplex.  In  particular,  the  free  convex 
body  over  three  and  four  generators  arc  the  triangle  and  the 
tetrahedron.  All  the  above  examples  arc  applications  of  the 


left  adjoint  to  the  forgetful  functor  from  topological  convex 
bodies  to  topological  spaces,  which  exists  by  Freyd’s  Ad¬ 
joint  Functor  Theorem  [23]. 

There  arc  intriguing  connections  between  midpoint  alge¬ 
bras  and  the  probabilistic  algebras  that  arise  in  the  study  of 
probabilistic  powerdomains — sec  the  axiomatizations  dis- 
cus.sed  by  Hcckmann  [13],  It  is  plausible  that  the  free 
convex  body  over  a  sufficiently  nice  domain  may  be  noth¬ 
ing  but  the  probabilistic  powerdomain  of  normalized  valua¬ 
tions  [19]. 
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Abstract 

Analysis  of  foundational  problems  like  “What  is  compu¬ 
tation?”  leads  to  a  sketch  of  the  paradigm  of  abstract  state 
machines  (ASMs).  This  is  followed  by  a  brief  discussion  on 
ASMs  applications.  Then  we  present  some  theoretical  prob¬ 
lems  that  bridge  between  the  traditional  LICS  themes  and 
abstract  state  machines. 


1  Introduction 

This  talk  was  prompted  by  Joe  Halpern’s  Invitation  letter: 
“My  hope  this  year  is  that  the  invited  talks  will  showcase  the 
relevance  of  logic  to  the  rest  of  CS.  It  seems  that  some  dis¬ 
cussion  of  abstract  state  machines  (and  their  potential  impact 
on  Microsoft)  would  be  a  great  theme  ...” 

I  always  had  a  taste  for  foundational  questions.  That  is 
why  I  went  to  logic  (from  algebra)  in  the  first  place.  In  1982 
Michigan  hired  me,  a  logician,  on  the  promise  to  become  a 
computer  scientist.  Contrary  to  mathematical  logic  where 
the  foundational  questions  had  been  more  or  less  settled, 
the  foundational  questions  of  computer  science  were  wide 
open.  What  is  it  that  we  study  in  computer  science?  What 
is  computation?  What  are  the  peculiar  dynamic  systems  of 
computer  science?  Thinking  about  these  questions,  I  arrived 
at  the  notion  of  abstract  state  machine  (ASM)  as  a  formal¬ 
ization  of  the  notion  of  computer  system  at  any  given  level 
of  abstraction. 

The  operational  approach  of  ASMs  went  against  the  pure 
declarative  fashion  of  the  formal  methods  of  the  time.  Many 
formal-methods  experts  still  think  that  any  operational  ap¬ 
proach  is  necessarily  low-level  and  that  an  executable  spec¬ 
ification  is  a  contradiction  in  terms.  But  ASMs  were  suc¬ 
cessful  in  applications.  The  ASM  community  grew  and  with 
it  grew  the  diversity  of  applications;  see  the  ASM  academic 
website  [23]  where  you  will  find  in  particular  a  bibliogra¬ 
phy  [13]  and  Egon  Borger’s  surveys  [11,  12].  While  much 
of  ASM  activity  takes  place  in  academia,  it  is  not  confined 


to  academia.  Good  ASM  work  has  been  done  in  Siemens. 
There  is  an  active  ASM  group  in  Microsoft.  There  are 
even  two  small  ASM-based  start-ups,  http://www.modeled- 
computation.com  and  http://www.montages.com/. 

The  rest  of  this  talk  is  organized  as  follows. 

Section  2  A  version  of  our  original  analysis  of  the  funda¬ 
mental  questions  mentioned  above. 

Section  3  A  sketch  of  the  ASM  paradigm. 

Section  4  A  few  words  on  what  ASMs  are  good  for. 

Section  5  A  few  words  on  our  Microsoft  experience. 

Section  6  Some  theoretical  problems  related  to  ASMs. 

Section  7  Postlude. 

I  showed  a  draft  of  this  talk  to  my  former  student  Quisani 
which  resulted  in  some  Q  &  A  inserted  in  the  text. 
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2  What  is  computation? 

A  computation  can  be  defined  as  a  run  of  a  computer 
system.  The  notion  of  computer  system  should  be  general 
enough  to  account  for  future  computer  systems  and  for  more 
abstract  computations  that  you  encounter,  e.g.,  in  the  speci¬ 
fication  stage  of  software  development.  We  proceed  to  make 
our  notion  of  computer  system  a  little  more  precise 

2.1  Levels  of  abstraction 

A  computer  system  has  a  hierarchy  of  levels  of  abstrac¬ 
tion.  For  example,  you  can  view  the  execution  of  a  C  pro¬ 
gram  on  the  level  of  the  source  program  or  on  the  level  of 
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the  executable  code.  These  arc  two  different  abstraction  lev¬ 
els.  Here  we  are  interested  in  computations  of  a  computer 
system  with  a  fixed  level  of  abstraction. 

The  need  to  fix  a  particular  level  of  detail  is  well  under¬ 
stood  in  software  engineering.  To  this  end,  for  example, 
APIs  (application  programming  interfaces)  enable  the  pro¬ 
grammer  to  give  precise  syntactic  information  about  a  com¬ 
ponent —  method  names,  typing  information,  etc.  Typically 
the  intended  semantics  is  only  hinted  at.  (And  so  you  may 
want  to  use  ASMs  to  fill  in  the  gap.) 

2.2  The  program 

A  computer  system  is  governed  by  a  fixed  program.  Hu¬ 
man  society  for  example  is  not  a  computer  system.  The  more 
focused  theory  of  computer  systems  should  be  deeper  than 
General  System  Theory. 

A  programmed  system  does  not  have  to  be  clo.sed.  It  can 
be  highly  interactive. 

Q:  Is  Internet  a  computer  system  in  your  sense? 

A:  I  guess  this  depends  on  the  chosen  level  of  ab¬ 
straction.  Even  a  complex  system,  like  Internet, 
can  be  algorithmic  on  some  levels  of  abstraction. 

Q:  Shouldn’t  this  apply  to  human  society  as  well? 

A:  You  are  right;  it  should. 

Q:  Suppose  that  my  program  has  loaded  a  bunch 
of  classes  from  some  library.  Docs  this  change  the 
program  of  my  computer  system? 

A:  Not  necessarily.  Again,  this  depends  on  the 
chosen  level  of  abstraction.  One  possible  view  is 
this.  Loading  new  classes  changes  only  a  part  of 
your  state;  in  particular  the  set  of  methods  avail¬ 
able  to  your  program.  The  methods  themselves 
can  be  seen  as  part  of  the  active  environment. 

Q:  Maybe  you  should  say  “algorithmic  sy.stem” 
rather  than  “computer  system”. 

A:  Maybe.  I  used  to  say  “algorithm”  instead  of 
“computer  system”  but  there  is  a  tendency  to  in¬ 
terpret  the  term  “algorithm”  too  narrowly.  Let’s 
stick  to  the  tcnii  “computer  system”  for  the  time 
being. 

Q:  There  arc  so-called  non-von-Ncumann  systems 
which  change  their  programs  as  they  run. 

A:  I  saw  some  of  them.  Here  is  my  understand¬ 
ing  of  how  they  work.  There  are  fixed  rules  how 
to  change  the  alleged  program.  Those  rules  con¬ 
stitute  the  real  program.  The  alleged  program  is 
data. 


2.3  The  state 

In  general,  a  computer  system  is  a  dynamic  system;  it  has 
a  state  that  evolves  in  time. 

Q:  Can  a  computer  system  be  static?  If  yes,  docs 
it  still  have  a  state? 

A;  Yes,  and  yes.  Consider  a  sorting  algorithm 
at  the  abstraction  level  where  you  abstract  from 
everything  except  the  input-output  function  that 
takes  a  given  sequence  to  the  sorted  one.  At  that 
level  of  abstraction,  no  dynamics  remains;  the  sys¬ 
tem  still  has  a  state  (including  the  sorting  function) 
but  the  state  docs  not  evolve  in  time. 

2.4  So  what  is  computation? 

Computation  is  evolution  of  the  state. 

Q:  I  guess  you  arc  talking  about  computations  of 
a  computer  system  at  a  fixed  level  of  abstraction. 

A:  Yes,  I  am. 

Q:  This  definition  is  not  a  mathematical  definition. 

A:  Right.  It  is  a  philosophical  speculation. 

Q:  I  am  skeptical  about  philosophical  specula¬ 
tions.  Give  me  one  example  of  a  philosophical 
speculation  that  proved  to  be  useful. 

A:  Turing’s  speculative  proof  of  his  thesis  [27]. 

3  The  ASM  paradigm 

The  notion  of  abstract  state  machine  (ASM)  formalizes 
our  notion  of  computer  system  given  at  a  fixed  abstraction 
level. 

The  ASM  Thesis  Let  A  be  any  computer  system  at  a  fixed 
level  of  abstraction.  There  exists  an  abstract  state  machine 
B  that  simulates  A  step-for-step. 

Q:  How  is  this  thesis  different  from  Turing’s  the¬ 
sis? 

A:  In  many  ways.  In  particular,  a  Turing  machine 
would  simulate  A  on  the  level  of  single  bits  while 
an  ASM  simulates  A  on  the  given  abstraction  level. 

The  “step-for-step”  requirement  is  crucial.  In  distributed 
computing,  typically  only  single  steps  are  guaranteed  not 
to  be  interrupted  by  other  agents.  If  Z?  simulates  A  step- 
for-step  then  it  can  substitute  for  A  in  distributed  situations. 
Even  if  D  makes  only  two  steps  to  simulate  one  step  of  A, 
some  other  agent  can  intervene  between  the  steps  of  B  and 
mess  up  the  simulation. 
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In  [20],  we  proved  the  thesis  for  the  case  of  sequential 
algorithms,  more  exactly  for  sequential-time  algorithms  with 
uniformly  bounded  parallelism. 

Q:  Is  it  a  mathematical  proof  or  another  philo¬ 
sophical  speculation? 

A:  It  is  a  mathematical  proof. 

Q:  How  can  you  prove  a  thesis?  The  notion  of 
sequential  algorithms  is  informal. 

A:  We  formalize  the  notion  of  sequential  al¬ 
gorithms  by  means  of  three  postulates:  the 
Sequential-Time  Postulate,  the  Abstract-State 
Postulate,  and  the  Bounded-Exploration  (that  is 
stepwise  uniformly  bounded  exploration)  Postu¬ 
late. 

Work  on  more  general  versions  of  the  thesis  is  in  progress. 
Instead  of  defining  ASMs  here,  we  just  sketch  the  ASM 
paradigm.  The  standard  reference  for  the  ASM  syntax  still 
is  [19];  a  new  guide  is  in  preparation. 

Let  A  be  a  computer  system  at  a  fixed  level  of  abstraction. 

3.1  States  as  structures 

States  of  A  are  first-order  structures. 

Q:  Why  first-order?  Why  not  second-order  or 
higher-order? 

A:  Second-order  and  higher-order  and  other  kinds 
of  logical  structures  can  be  viewed  as  special  first- 
order  structures.  See  for  example  article  [10] 
where  weak  higher-order  structures  are  treated  as 
first-order  structures. 

Q:  Why  should  it  be  any  kind  of  logic  structure? 

A:  The  vast  experience  in  applications  of  math¬ 
ematical  logic  seems  to  confirm  that  any  static 
mathematical  reality  can  be  adequately  described 
as  first-order  structure. 

Q:  It  can  be,  I  guess,  adequately  described  in  arith¬ 
metic. 

A:  Arithmetization  requires  excessive  encoding 
while  structure  representation  is  virtually  free 
from  encoding. 

All  states  of  A  have  the  same  vocabulary.  The  vocabulary 
reflects  the  invariant  aspects  of  the  algorithm.  Further  the 
base  set  of  the  state  does  not  change  during  the  evolution. 

Q:  Many  graph  algorithms  acquire  new  nodes  as 
they  run. 


A:  But  where  do  they  take  those  new  nodes  from? 

We  assume  that  the  initial  state  has  an  infinite  re¬ 
serve  of  elements  to  be  used  as  nodes  or  whatever. 

A  special  import  (called  also  create)  operator 
is  used  to  fish  out  elements  from  the  reserve  and 
bring  them  to  the  foreground. 

The  set  of  states  of  A  is  closed  under  isomorphisms.  Intu¬ 
itively,  isomorphic  structures  are  representations  of  the  same 
state.  The  details  of  representation  should  not  matter. 

Q:  If  computation  is  state  evolution  and  states  are 
structures  then  computation  is  structure  evolution. 

A:  That  is  why  abstract  state  machines  used  to  be 
called  evolving  structures  or  evolving  algebras. 

Q:  Why  algebras? 

A:  An  algebra  is  a  structure  whose  voeabulary  con¬ 
sists  of  function  symbols.  In  logic,  relations  are 
different  from  functions  because  their  values  live 
outside  the  structure.  We  tweaked  the  definition 
of  first-order  structures  so  that  the  Boolean  values 
are  always  inside  and  thus  our  states  are  algebras. 

3.2  State  as  a  memory 

In  logic  or  algebra,  structures  are  static.  Our  structures 
are  dynamic.  A  state  A  is  a  memory  (or  store).  If  /  is  a 
function  symbol  of  arity  j  in  the  voeabulary  of  X  and  if  d  is 
a  j-tuple  of  elements  of  X  then  the  pair  (/,  a)  is  a  location 
of  X.  The  content  of  that  location  is  the  element  /(d). 

3.3  Actions 

An  atomic  update  of  a  state  X  changes  the  content  of  one 
location  of  X.  Since  the  vocabulary  of  A  is  fixed  and  the 
base  set  of  the  state  does  not  change  during  the  evolution, 
the  set  of  locations  does  not  change  either.  It  follows  that 
any  transition  from  one  state  to  another  is  characterized  by 
an  update  set,  a  set  of  atomic  updates. 

The  ASM  syntax  provides  means  to  program  atomic  up¬ 
dates  as  well  as  various  update  sets.  For  example,  if  (p  is 
a  Boolean-valued  term  and  R  is  an  ASM  rule  generating 
an  update  set  C/  at  a  state  X  then  the  rule  if  0  then 
R  generates  either  U  or  0  over  X  depending  on  whether  0 
evaluates  to  true  or  to  false  over  X. 

Q:  I  guess  state  changes  should  respect  isomor¬ 
phisms  of  structures. 

A:  Of  course.  In  [20],  this  is  a  part  of  the  abstract- 
state  postulate. 
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3.4  Runs 

You  have  in  general  a  number  of  computing  agents  exe¬ 
cuting  their  programs.  It  is  convenient  to  think  in  terms  of  a 
global  state.  A  move  by  an  agent  changes  only  a  finite  set  of 
locations  of  the  global  state.  Concun  ent  moves  of  different 
agents  produce  consistent  changes.  A  run  is  a  partial  order 
of  moves  of  various  agents. 

Q;  Your  global  state  is  some  kind  of  shared  mem¬ 
ory. 

A:  It  is  not  a  conventional  shared  memory. 

Q:  Consider  a  distributed  system,  say  a  network 
of  computers.  To  make  it  more  interesting,  let  us 
assume  that  different  computers  arc  located  on  dif¬ 
ferent  planets  so  that,  by  the  relativity  theory,  the 
whole  system  does  not  have  a  global  time.  The 
computers  exchange  information  via  messages. 

Arc  there  meaningful  states  of  the  system? 

A:  Yes,  they  are  mathematical  abstractions  [19]. 

Further,  agents  themselves  arc  represented  in  the  state. 
The  computation  can  destroy  agents  and  create  new  ones. 
There  could  be  various  relations  and  functions  involving 
agents  [19]. 

3.5  ASMs  and  set  theory 

In  a  1993  Dagstuhl  conference,  Andreas  Blass  said  the 
following  about  formalizing  algorithms  as  ASMs:  “after  a 
while  it  becomes  clear  that  any  ‘reasonable’  algorithm  can 
be  written  as  an  ASM,  just  as  any  ‘reasonable’  proof  can 
be  formalized  in  ZFC.”  This  observation  is  analyzed  and 
developed  further  in  the  chapter  “ASMs  and  Set  Theory”  of 
his  article  “Abstract  State  Machines  and  Pure  Mathematics” 
[4]. 

4  What  are  ASMs  good  for 

The  most  obvious  use  of  ASMs  is  to  write  executable 
specifications.  Here  is  a  sorting  example. 

You  don’t  need  ASMs  to  specify  that  a  sorting  algorithm 
should  sort.  But  suppose  that,  for  some  reason,  c.g.  security, 
you  need  that  your  sorting  is  in-place  so  that  you  only  swap 
elements  of  the  given  array.  Suppose  further  that  you  can 
do  only  one  swap  at  a  time.  There  arc  numerous  ways  to 
implement  such  sorting:  quicksort,  bubble  sort,  etc.  Here  is 
an  ASM  spec  of  in-place  one-swap-a-time  sorting.  Suppose 
that  a  is  an  array  with  the  set  I  of  indices. 

choose  i,j  in  I  with  i<j  and  a[i]>a[j] 
do  in-parallel 
a[i] :=a[j] 
a[ j] ;=a[i] 


This  rule  is  supposed  to  be  executed  over  and  over  again  until 
the  computation  halts  (when  the  choice  set  becomes  empty). 
This  is  the  most  general  in-place  onc-swap-a-time  sorting 
(such  that  every  swap  makes  the  array  more  sorted).  You  can 
employ  various  choice  strategics  and  thus  get  more  refined 
sorting  algorithms;  a  refinement  like  quicksort  is  much  more 
efficient  than  the  spec.  But  the  spec  is  executable  as  is,  and 
appropriate  ASM  tools  can  execute  it. 

Q:  Your  notion  of  specification  is  very  broad. 

A:  Yes.  Whenever  you  have  a  pair  of  algorithms 
A  and  B  so  that  B  refines  A,  A  is  a  spec  for  B. 

This  includes  the  case  when  A  is  static  and  so  the 
spec  is  declarative. 

Q:  Why  is  it  important  that  specifications  arc  ex¬ 
ecutable? 

A:  Imagine  that  you  have  designed  a  cool  product 
with  many  interesting  features.  Developers  code 
it;  this  may  take  a  while.  Eventually  testers  may 
discover  that  the  design  was  flawed  and  needs  to 
be  changed.  You  wish  you  could  have  played  with 
your  design  before  coding. 

There  arc  many  more  kinds  ol' applications  of  ASMs;  sec 

[23]  where  you  will  find  in  particular  a  bibliography  [13] 
and  Egon  Biirgcr’s  surveys  [11,  12]. 

5  ASMs  in  Microsoft 

Jim  Kajiya  at  Microsoft  Research  realized  the  potential  of 
ASMs.  In  late  summer  of  1998,  he  invited  me  to  start  a  new 
group,  and  I  accepted.  The  ASM  project  had  become  more 
and  more  engineering,  and  I  could  use  help.  In  addition, 
1  was  tired  of  analyzing  old  software  and  excited  about  the 
possibility  to  participate  in  the  development  of  new  software. 

The  new  group  was  called  Foundations  of  Software  En¬ 
gineering  (FSE).  By  now  we  have  a  strong  and  busy  ASM 
team  that  never  seems  to  find  time  to  dress  up  its  outside 
window  [14].  Our  first  priority  is  to  develop  a  good  tool  to 
write  and  execute  ASMs.  A  number  of  such  tools  have  been 
developed  in  academia;  sec  [23].  Two  of  these  tools,  ASM 
Workbench  and  ASM  Gopher,  have  been  successfully  used 
at  Siemens.  However  none  of  the  tools  was  a  good  fit  for 
the  software  development  environment  of  Microsoft,  and  in 
particular  for  COM,  Microsoft’s  Component  Object  Model 

[24] .  Wc  had  to  start  from  scratch. 

Q:What  is  COM? 

A:  I  quote  from  [2];  “Microsoft  software  is  usu¬ 
ally  composed  of  COM  components.  These  are 
really  just  static  containers  of  methods.  In  your 
PC,  you  will  find  dynamic-link  libraries  (DLLs);  a 
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library  contains  one  or  more  components  (in  com¬ 
piled  form).  COM  is  a  language-independent  as 
well  as  machine-independent  binary  standard  for 
component  communication.  An  API  for  a  COM 
component  is  composed  of  interfaces;  an  interface 
is  an  access  point  through  which  one  accesses  a  set 
of  methods.  A  client  of  a  COM  component  never 
accesses  directly  the  component’s  inner  state,  or 
even  cares  about  its  identity;  it  only  makes  use 
of  the  functionality  provided  by  different  methods 
behind  the  interface  (or  by  requesting  a  different 
interface).” 

The  tool  development  in  the  group  is  headed  by  Wolfram 
Schulte,  my  first  hire,  who  came  to  Microsoft  in  the  sum¬ 
mer  of  1999  from  the  University  of  Ulm  in  Germany  after 
completing  his  ASM-related  habilitation  there.  Our  main 
tool  is  called  AsmL  (ASM  Language).  It  is  an  executable- 
specification  language. 

Q:  What  does  it  mean?  Another  high-level  pro¬ 
gramming  language? 

A:  It  is  a  high-level  programming  language  that 
implements  the  ASM  paradigm.  Accordingly  it  is 
highly  parallel. 

Q:  What  about  that  COM? 

A:  AsmL  is  COM  compliant.  You  can  specify 
a  component,  and  the  spec  will  have  full  COM 
connectivity.  For  example,  a  spec  of  a  debugger 
may  be  much  more  concise  and  abstract  than  a  real 
debugger,  but  it  will  be  treated  as  a  debugger  by 
other  COM  components. 

Q:  Is  AsmL  optimized  for  efficiency  or  expressiv¬ 
ity? 

A:  It  is  a  pragmatic  compromise  but  typically  ex¬ 
pressivity  comes  first. 

Q:  Are  there  product  groups  within  Microsoft  that 
use  ASM  technology? 

A:  Yes. 

Q:  Name  one. 

A:  Universal  Plug  and  Play. 

This  seems  to  be  a  wrong  place  to  go  into  the  details  of  our 
work.  (A  bunch  of  our  papers  should  appear  later  this  year 
in  the  Proceedings  of  ASM’2()01  in  Springer  Lecture  Notes 
in  Computer  Science.  A  few  additional  papers  are  headed 
elsewhere.  We’ll  try  to  keep  the  website  [14]  current.)  In¬ 
stead  let  me  share  a  few  lessons  that  the  group  learned  during 
its  short  existence. 


•  Verification  isn’t  everything.  Verification  is  great 
. . .  when  it  is  feasible.  A  spec  is  a  basis  not  only  for  veri¬ 
fication  but  also  for  testing,  documentation,  etc.  Partial 
improvements  can  have  a  big  impact 

•  Stay  relevant.  A  spec  must  be  testable  and  up-to-date. 

•  Integration  is  crucial.  Without  integration  your  tool 
may  be  useless.  Integrate  with  the  relevant  developer 
environment  (in  our  case,  it  is  Microsoft  Visual  Studio). 
Integrate  with  the  relevant  run-time  environments  (in 
our  case,  they  are  COM,  .NET  and  various  libraries). 

6  On  ASM-related  theoretical  problems 

I  was  asked  more  than  once  about  ASM-related  theoreti¬ 
cal  problems.  Many  appetizing  foundational  problems  arise 
in  applications.  For  example,  what  are  objects  and  classes 
[21]?  But  let  me  keep  closer  to  more  traditional  LICS  themes 
(with  hope  to  bridge  between  those  themes  and  ASMs). 

6.1  Fine  complexity  classes 

The  notion  of  polynomial  time  is  very  robust.  The  usual 
computation  models  including  the  Turing  model  give  the 
same  notion  of  polynomial  time.  In  [22],  we  show  that  the 
usual  computation  models  other  than  the  Turing  model  give 
the  same  notion  of  nearly  linear  (that  is  linear  times  poly¬ 
log)  time.  Linear  time  is  much  more  sensitive  to  the  choice 
of  computation  model,  and  there  are  numerous  versions  of 
linear  time  in  use.  One  example  is  the  linear  time  of  com¬ 
putational  geometry.  The  ASM  model  may  have  enough 
parameters  to  take  care  of  all  these  versions  of  linear  time 
—  maybe.  I  did  not  investigate  this. 

In  [6],  we  proved  the  linear-time  hierarchy  theorem  for 
ASMs  (that  asserts  that,  as  c  varies,  the  classes  of  functions 
computable  in  time  c  •  n  form  a  proper  hierarchy).  As  we 
wrote  there,  “One  long-term  goal  of  this  line  of  research  is 
to  prove  linear  lower  bounds  for  linear  time  problems”. 

If  you  work  with  linear  time  and  consider  simulations,  it 
is  natural  to  require  that  simulation  is  lock-step,  that  is  there 
exists  a  fixed  k  such  that  the  simulator  spends  at  most  k  steps 
to  simulate  one  step  of  the  simulatee.  In  [6],  we  used  lock- 
step  simulations  with  preprocessing  to  construct  a  diagonal¬ 
izing  machine  and  thereby  proved  the  linear-time  hierarchy 
theorem.  Lock-step  simulation  deserves  to  be  studied  in  its 
own  right.  To  this  end,  Andreas  Blass  constructed  a  more 
involved  diagonalizing  machine  that  avoids  preprocessing 
(unpublished). 

It  seems  that  the  study  of  fine  complexity  classes  was  held 
back  by  the  absence  of  an  appropriate  computation  model. 
We  hope  that  ASM  can  serve  as  such  a  model. 
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6.2  Computations  with  abstract  structures 

Contrary  to  conventional  computation  models,  like  Tur¬ 
ing  machines  or  random  access  machines,  ASMs  accept  ab¬ 
stract  structures  as  inputs.  For  example,  an  input  could  be  a 
graph  rather  than  a  string  (or  adjacency  matrix)  representa¬ 
tion  of  the  graph. 

Q:  Why  is  this  important?  Real  computers  do  not 
accept  abstract  structures  as  inputs. 

A:  You  routinely  abstract  from  representation  de¬ 
tails  when  you  do  specifications.  But  such  abstrac¬ 
tion  is  not  confined  to  specifications.  Suppo.se  for 
example  that  I  have  a  database  in  my  computer 
and  I  ship  it  to  you.  You  store  it  in  your  computer 
but  the  representation  of  the  database  in  your  com¬ 
puter  will  surely  differ  from  that  in  mine.  A  query 
to  database  should  not  depend  on  the  representa¬ 
tion.  To  this  end,  popular  query  languages  abstract 
from  the  representation,  so  that  abstract  databases 
are  treated  as  inputs  to  queries.  This  is  an  impor¬ 
tant  issue  in  database  theory  and  practice  [I]. 

In  [18],  I  conjectured  that  there  is  no  logic  (or  computa¬ 
tion  model)  for  polynomial-time  computations  with  abstract 
structures;  the  conjecture  implies  Py^NP  and  remains  open. 

Q:  I  do  not  understand  your  conjecture.  How  can 
you  quantify  over  logics? 

A:  I  assume  that  every  logic  satisfies  some  minimal 
requirements,  in  particular  that  the  set  of  well- 
formed  formulas  is  recursive. 

In  [10],  ASMs  were  used  as  a  computation  model 
(and  logic  of  a  sort,  called  BGS)  for  a  rich  natural  class 
of  polynomial-time  computations  with  abstract  structures. 
Later  Shelah  proved  the  zero-one  law  for  BGS  [26,  5].  In 
particular,  we  show  in  [10]  that  counting  is  not  available  in 
BGS  and  that  BGS  cannot  decide  whether  a  bipartite  graph 
admits  a  perfect  matching.  Later  it  was  shown  in  [9]  that  if 
one  adds  counting  to  BGS  then  the  perfect  matching  problem 
for  bipartite  graphs  becomes  expressible.  It  remains  open 
whether  the  perfect  matching  problem  for  arbitrary  graphs 
is  expressible  in  BGS  with  counting.  It  is  also  open  whether 
BGS  with  counting  captures  polynomial  time.  Other  spe¬ 
cific  problems  along  these  lines  arc  discussed  in  [9].  In  [16], 
ASMs  were  used  to  study  logspacc  computations  with  ab¬ 
stract  structures. 

The  complexity  theory  of  computations  with  abstract 
structures  deserves  to  be  developed  further. 

6.3  Metafinite  models 

In  [17],  I  preached  finite  model  theory  because  many 
structures  naturally  arising  in  computer  science  are  finite.  In 


particular  (the  states  oO  relational  databases  arc  finite.  But 
are  they  really  finite  in  all  cases?  A  database  may  use  real 
numbers  for  example;  where  do  those  numbers  “live”?  Now 
consider  the  world  of,  say,  the  C  programming  language.  It 
has  arrays,  records,  arrays  of  records,  records  of  arrays,  and 
so  on.  It  is  convenient  to  model  states  of  computer  systems 
as  infinite  structures  where  only  a  finite  part  is  active.  To  this 
end,  we  defined  and  studied  metafinite  structures  in  [15].  A 
metafinite  structure  has  a  finite  primary  part  and  possibly 
infinite  secondary  part. 

In  the  case  of  a  program  state,  the  primary  part  reflects 
the  active  foreground  and  the  infinite  part  reflects  the  passive 
background.  One  example  is  [10]  where  the  background  is 
the  collection  of  hereditarily  finite  sets  over  the  elements 
of  the  input  structure.  In  general,  background  structures 
contain  all  the  material  (like  maps  of  sets  of  sequences  of 
maps)  that  the  program  may  need.  The  notion  of  background 
was  formalized  in  [7]. 

Metafinite  structures  are  really  ubiquitous  and  deserve 
more  attention. 

6.4  Interesting  logics 

What  are  logics  appropriate  to  metafinite  structures?  That 
question  has  been  addressed  in  [15].  Basically,  you  can 
quantify  over  the  primary  part  only.  The  seeondary  part  may 
have  powerful  operations.  In  the  ease  of  reals,  for  example, 
you  may  have  multiset  operations  like  sum,  product,  average, 
median.  But  you  can’t  quantify  over  the  secondary  part. 

The  choice  operator  of  ASMs  (illustrated  above,  in  Sec¬ 
tion  4)  is  typical  for  computer  science.  It  is  an  independent- 
choice  operator:  different  invocations  of  it  produce  indepen¬ 
dent  choices.  It  differs  from  the  epsilon  operator  of  Hilbert, 
the  classical  choice  operator  of  mathematical  logic;  different 
invocations  of  the  epsilon  operator  over  the  same  set  produce 
the  same  result.  In  [8],  we  investigated  the  logic  of  the  ASM 
choice  operator.  We  found  that  this  fascinating  logic  is  much 
weaker  than  the  logic  of  the  epsilon  operator. 

There  arc  other  ASM-rclated  logics  waiting  to  be  inves¬ 
tigated.  One  example  is  first-order  logic  with  undef,  a 
special  element  that  allows  you  to  turn  partial  functions  into 
total  ones.  This  undef  is  different  from  diverges  of 
recursive-function  theory.  An  ASM  program  can  refer  to 
undef  explicitly;  in  particular  we  allow  tests  like  x  = 
undef,  and  the  equality  undef  =  undef  holds.  This 
explicit  use  of  undef  makes  the  logic  of  undef  more  pow¬ 
erful  than  the  other  first-order  logics  of  partial  functions  that 
I  am  aware  of. 

Until  now  we  spoke  about  static  logics.  Once  one  intro¬ 
duces  state  transitions,  new  challenging  issues  appear. 

What  is  the  logic  of  the  import  operator  mentioned  above 
in  Section  3?  Unlike  the  choice  operator,  the  import  operator 
produces  a  different  clement  every  time  it  is  invoked. 
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In  the  sequential-time  case,  an  ASM  program  describes 
a  single  step  (to  be  iterated).  The  state  changes  only  at  the 
end  of  the  step,  not  at  the  middle.  There  are  no  side  effects 
during  the  execution  of  one  step.  This  feature  of  the  ASM 
paradigm  should  allow  one  to  develop  clean  logics  to  reason 
about  at  least  one  step  of  the  program. 

One  may  want  also  to  use  automated  and  partially  auto¬ 
mated  systems,  including  model  checking  systems,  to  rea¬ 
son  about  the  behavior  of  abstract  state  machines.  The  ASM 
community  has  some  experience  in  this  direction;  see  [25, 3] 
and  the  section  on  Mechanical  Verification  in  [23].  We  have 
a  long  way  to  go  though. 

7  Postlude 

Logic  that  we  use  and  apply  in  computer  science  is  math¬ 
ematical  logic  developed  originally  to  build  foundations  of 
mathematics  and  to  solve  the  problems  in  foundations  of 
mathematics  that  arose  in  the  beginning  of  twentieth  cen¬ 
tury.  Logicians  distinguish  clearly  between  syntax  and  se¬ 
mantics  and  strive  to  clarify  both  syntactical  and  seman¬ 
tical  issues.  Computer  science  applications  of  logic  are 
much  different  from  mathematical  applications.  Some  of 
the  strongest  methods  of  mathematical  logics,  like  the  prior¬ 
ity  method  and  forcing,  have  not  found  direct  applications 
in  computer  science.  But  the  foundational  tradition  of  logic 
is  of  great  value  to  computer  science  at  this  stage  of  its  de¬ 
velopment. 

But  computer  science  is  not  a  purely  mathematical  disci¬ 
pline.  It  is  an  engineering  discipline  as  well.  In  applications, 
it  does  not  suffice  to  prove  that  the  problem  is  decidable  or 
even  polynomial-time  decidable.  You  may  need  a  program 
that  works  reasonably  fast  on  real  computers.  Some  engi¬ 
neering  compromises  have  to  be  made.  It  is  not  only  syntax 
and  semantics  that  we  should  worry  about.  It  is  also  prag¬ 
matics.  It  may  mess  up  your  clean  constructions,  but  it  may 
also  enhance  them  and  make  them  work  for  the  benefit  of 
many. 
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Abstract 

In  any  classical  first-order  theory  that  proves  the  exis¬ 
tence  of  at  least  two  elements,  one  can  eliminate  definitions 
with  a  polynomial  bound  on  the  increase  in  proof  length. 
In  any  classical  first-order  theory  strong  enough  to  code  fi¬ 
nite  functions,  including  sequential  theories,  one  can  also 
eliminate  Skolem  functions  with  a  polynomial  bound  on  the 
increase  in  proof  length. 


1  Introduction 

When  working  with  a  first-order  theory,  it  is  often  con¬ 
venient  to  use  definitions.  That  is,  if  <p{x)  is  a  first-order 
formula  with  the  free  variables  shown,  one  can  introduce  a 
new  relation  symbol  R  to  abbreviate  <p,  with  defining  axiom 
Mx  {R{x)  ^  y?(T)).  Of  course,  this  definition  can  later  be 
eliminated  from  a  proof,  simply  by  replacing  every  instance 
of  R  by  (p.  But  suppose  the  proof  involves  nested  defini¬ 
tions,  with  a  sequence  of  relation  symbols  Rq,.  .  .,Ri.  ab¬ 
breviating  formulae  ipo, . . .  ,tpk,  where  each  pi  may  have 
multiple  occurrences  of  Ro, . . .  In  that  case,  the 

naive  elimination  procedure  described  above  can  yield  an 
exponential  increase  in  the  length  of  the  proof. 

In  Section  2, 1  show  that  if  the  underlying  theory  proves 
that  there  are  at  least  two  elements  in  the  universe,  a 
more  careful  translation  allows  one  to  eliminate  the  new 
definitions  with  at  most  a  polynomial  increase  in  length. 
The  proof  is  not  difficult,  but  it  relies  on  the  assumption 
that  equality  is  included  in  the  logic.  A  similar  trick  has 
been  used  by  Solovay  in  simulating  iterated  definitions  ef¬ 
ficiently,  as  discussed  in  [11,  Section  3.2].  Consequently, 
the  result  proved  here  m.ay  be  folklore,  but  to  my  knowl¬ 
edge  it  has  not  appeared  in  the  literature,  and  it  is  needed  in 
Section  3. 

It  is  also  sometimes  convenient,  in  a  first-order  setting, 
to  introduce  Skolem  functions.  If  p{x,y)  is  any  formula 


with  the  free  variables  shown  and  /  is  a  new  function  sym¬ 
bol,  one  can  add  an  axiom,  VT,  r/  {p{x,y)  — >  p{x,f{x)), 
asserting,  in  words,  “if  any  y  satisfies  p{x,y),  f{x)  does.” 
There  is  an  easy  model-theoretic  proof  of  the  fact  that  this 
does  not  alter  the  set  of  consequences  in  the  original  lan¬ 
guage;  any  first-order  model  of  the  original  theory  can  be 
expanded  to  a  model  where  /  denotes  such  a  choice  func¬ 
tion.  Explicit  syntactic  proofs  of  this  fact  are,  however, 
somewhat  more  difficult.  The  first  such  proof  appears  in 
Hilbert  and  Bernays’  Grundlagen  der  Mathematik  [8],  us¬ 
ing  the  epsilon  substitution  method;  a  proof  by  Maehara  us¬ 
ing  cut-elimination  is  discussed  in  [14];  and  another  proof 
due  to  Shoenfield  is  found  in  [13]  (see  also  the  discussion 
in  [12]).  All  these  procedures  are,  unfortunately,  worse  than 
exponential. 

In  Section  3,  I  show  that  if  the  underlying  theory  al¬ 
lows  for  a  modicum  of  coding,  one  can  also  eliminate 
Skolem  functions  with  at  most  a  polynomial  increase  in 
proof  length.  The  idea  is  to  use  an  internal,  iterated  forcing 
argument  to  add  the  new  functions.  The  forcing  conditions 
involved  are  finite  approximations  to  the  Skolem  functions 
being  added,  so  the  constraint  on  the  underlying  theory  is 
that  it  provides  an  adequate  representation  of  finite  func¬ 
tions.  The  specific  requirements  are  spelled  out  below;  any 
sequential  theory  of  arithmetic  meets  these  criteria.  While 
forcing  methods  have  been  used  to  establish  lower  bounds 
in  proof  complexity  (see  [1,  9,  10]),  here  they  are  used  to 
establish  upper  bounds;  similar  forcing  arguments  can  be 
found  in  [2,  3,  4,  5]. 

The  question  as  to  whether  or  not  definitions  can  be  elim¬ 
inated  efficiently  from  propositional  proof  systems  is  a  ma¬ 
jor  open  question  in  the  field  of  proof  complexity.  The 
results  here  show  that  the  answer  is  “yes”  for  most  first- 
order  proof  systems,  though  the  most  general  statement  of 
the  problem  is  equivalent  to  the  propositional  version.  Is¬ 
sues  related  to  Skolem  functions  are  similarly  important  to 
computer  science,  since  most  automated  search  procedures 
use  Skolemization  in  one  form  or  another.  The  question 
as  to  the  increase  in  proof  length  when  eliminating  a  sin- 
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gle  Skolem  function  from  a  proof  in  pure  first-order  logic 
is  listed  as  open  problem  22  in  [6].  Once  again,  though 
the  results  here  do  not  settle  the  most  general  statement  of 
the  problem,  they  show  that  for  many  natural  theories  such 
an  efficient  elimination  is  possible.  In  Section  4, 1  discuss 
some  questions  that  remain. 

2  Eliminating  definitions 

If  d  is  a  proof  of  a  sentence  t/i  from  a  set  of  axioms  F  in 
first-order  logic,  then  \d\  denotes  the  length  of  d,  according 
to  the  number  of  symbols.  Krajicek  [9]  and  Pudlak  [11] 
provide  good  general  references  on  the  lengths  of  proofs. 

In  this  section  and  the  next  I  will  show  that  in  certain 
circumstances  one  can  eliminate  definitions  and/or  Skolem 
functions  from  a  proof  d  in  such  a  way  that  the  length  of  the 
resulting  proof  is  bounded  by  a  polynomial  in  |d|.  In  doing 
so,  I  will  not  make  an  effort  to  compute  the  exact  polyno¬ 
mial;  rather,  I  will  repeatedly  appeal  to  the  faet  that  the  set 
of  polynomials  in  |d|  is  closed  under  addition,  multiplica¬ 
tion,  and  composition.  It  will  be  clear  from  the  proofs  that 
in  fact  all  the  translations  considered  can  be  carried  out  in 
polynomial  time. 

By  “first-order  logic,”  I  mean  first-order  logic  with 
equality,  in  any  of  the  standard  natural  deduction  calculi, 
Hilbert-style  calculi,  or  sequent  calculi  with  cut  described 
in  [15].  By  a  theorem  due  to  Krajicek,  up  to  polynomial- 
time  equivalence  it  docs  not  matter  whether  we  take  proofs 
to  be  given  by  trees  or  sequences  of  lines  (sec  [11,  Seetion 
4],  or  [9,  Section  4.5]  for  the  propositional  case).  In  faet, 
the  proof  of  Theorem  2.2  only  assumes  that  there  is  a  rep¬ 
resentation  of  ifi  which  uses  ip  only  once.  If  is 

assumed  to  be  one  of  the  basic  connectives,  one  ean  sim¬ 
plify  the  central  argument  somewhat;  but  the  proof  below 
works  in  either  case. 

I  will  use  the  following  conventions:  x  and  t  denote  se¬ 
quences  of  variables  and  terms,  respectively,  and  typically 
their  lengths  can  be  inferred  from  the  context.  Introducing 
a  formula  as  ip{x)  only  serves  to  distinguish  the  sequence 
of  variables  x,  after  which  ip{t)  denotes  the  result  of  simul¬ 
taneously  substituting  t  for  x,  renaming  bound  variables  in 
(f  if  necessary. 

Definition  2.1  Let  F  he  a  set  of  first-order  sentences  in  a 
language  L.  Say  that  F  has  an  efficient  elimination  of  def¬ 
initions  if  there  is  a  polynomial  p{x)  such  that  the  follow¬ 
ing  holds:  whenever  Ro{xo), . . . ,  Ri;{xi;)  are  new  relation 
symbols  of  various  arities,  ipo{xo),  ■  ■  ■ ,  are  formu¬ 

lae  such  that  each  pi  is  in  the  language  L\j{Ro,  •  •  • ,  Rj-i }. 
and  d  is  a  proof  of  a  formula  in  Lfrom 

F  U  {Vxq  (i?o(.'?o)  </:’o(a'o))i  •  ■  • ; 

yXk  {Rk{xk)  ^  <y9o(.XA.))}, 


then  there  is  a  proof  d'  of%l>  from  F  using  only  formulae  in 
L.  with  [r/'j  <  p{\d\). 

This  definition  is  monotone  in  F:  if  F  has  an  efficient 
elimination  of  definitions  and  F'  D  F  then,  by  the  deduc¬ 
tion  theorem,  F'  has  an  efficient  elimination  of  definitions 
as  well.  The  main  theorem  in  this  section  is  the  following: 

Theorem  2.2  {B.c,  y  {x  y)}  has  an  efficient  elimination 
of  definitions. 

Proof  The  proof  will  occupy  most  of  this  section.  Let 
Ro, . . . ,  Rk.ifo,  ■  ■  ■  ,ipk^fi,  and  d  be  as  in  the  definition. 
We  can  assume  that  each  of  the  defining  axioms  occurs  at 
least  once  in  the  proof,  since  if  the  axiom  for  i?;  docs  not 
occur  in  the  proof  we  can  replace  each  occurrence  of  Rj 
by  an  arbitrary  sentence,  say  V:r  {x  —  x).  As  n  result,  we 
can  assume  that  k  and  |(^o|,  •  •  ■ ,  Wk\  are  all  less  than  |f/|, 
and  so  it  suffices  to  bound  the  length  of  the  final  proof  by  a 
polynomial  in  these  values. 

Let  o  and  b  be  new  constant  symbols.  It  suffices  to  find  a 
short  (i.e.  polynomially  bounded)  proof  of  from  {a  6). 
For.  if  we  can  find  a  short  proof  of  o  7^  6  — >  we  can 
replace  a  and  b  by  variables  and  obtain  a  short  proof  of  'fi 
from  3.r,  y  {x  y). 

First,  note  that  without  loss  of  generality  we  can  assume 
that  all  the  definitions  arc  given  by  prcncx  formulae.  If  the 
propositional  connectives  arc  among  {A,V,->,-i}  this  is 
so  because  any  formula  involving  these  connectives  can  be 
proved  equivalent  to  one  that  is  prcncx,  with  a  proof  whose 
length  is  bounded  by  a  polynomial  in  the  length  of  the  origi¬ 
nal  formula.  On  the  other  hand,  if,  say,  is  a  propositional 
connective,  one  can  introduce  additional  definitions  to  ab¬ 
breviate  subformulac  and  ensure  that  all  the  definitions  arc 
prcncx.  Alternatively,  one  can  first  use  definitions  to  elim¬ 
inate  as  in  the  proof  of  Corollary  2.5,  and  then  proceed 
as  before. 

In  the  following  argument,  if  (9  is  a  formula  with  a  rela¬ 
tion  symbol  R{y)  and  tfiff)  is  a  formula  with  the  free  vari¬ 
ables  shown,  it  will  be  convenient  to  write  6[i]/R]  for  the 
result  of  replacing  each  atomic  formula  R{i)  by  r;(^.  At 
other  times,  1  will  write  , . . . , to  indicate  that 

an  atomic  formula  i?(/i, . . . ,  /,„)  occurs  in  the  quantifier- 
free  formula  0;  thereafter,  0[//]  denotes  the  result  of  replac¬ 
ing  /?(/] , . . . ,  f,„ )  by  T],  While  this  notation  is  potentially 
problematic,  the  intention  should  always  be  clear  from  the 
context. 

For  notational  convenience,  we  may  assume  that  all  of 
the  relations  /?,  have  the  same  arity.  Wc  will  need  a  way 
of  representing  the  numbers  0, ....  A'.  Let  Cq,  •  •  • ,  Zk  be  a 
sequence  of  variables,  write  0  for  the  sequence  «,  b,  b,  b, . . ., 
1  for  the  sequence  b,  a,  b,b, . . . ,  and,  more  generally,  j  for 
the  sequence  of  length  A-  -|- 1  that  has  an  a  in  the  jth  position 
and  b’s  elsewhere. 
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Our  strategy  will  be  to  define  a  sequence  of  formulae 
^o{z,  u,x), . . .  ipk{z,  u,  u),  with  length  bounded  by  a  poly¬ 
nomial  in  |c?|,  such  that  for  each  i  <  k  the  following  equiv¬ 
alences  are  all  provable  from  a^h: 

•  (pi{j,a,x)  o  (^i_i(j,a,x),foreach  j  <  i 

•  foreach  j  <i 

•  Vf  {(pi(i,a,x)  -H-  ipi{x)[<fi-i{0,a,x)/Ro,..., 

-  l,o,f)/i?i_i]) 

•  Vf  {<fii{i,b,x)  <H-  -ripi{x)[(pi^i{0,a,x)/Ro,. . . , 

0i-i{i  -  l,a,f)/i?i_i]). 

In  other  words,  for  each  i  and  j  <  i,  ipi(j,a,x)  is  an  ef¬ 
ficient  representation  of  Rj,  and  (pi{j,b,x)  is  an  efficient 
representation  of  -'Rj.  The  idea  is  to  use  quantifiers  and 
equality  so  that  only  a  single  instance  of  tpi  is  used  in  the 
definition  of  Note  that  the  clauses  above  imply  that 
for  each  i  and  j  <  i,  we  have  a,  x)  •<->  ~'‘Piij,b,  x). 

The  sequence  tpo ,  •  ■  • ,  is  defined  recursively.  Start  by 

taking  u,  x)  to  be  the  formula 

(u  =  a  ->  /\{u  =  b  -'(poix)). 

For  i  >  0,  assuming  tpo,. . . ,  pi-i  have  been  defined,  the 
following  shows  how  to  determine  >pi.  Since  we  are  assum¬ 
ing  that  all  the  definitions  are  prenex,  (fii{x)  is  of  the  form 

QlVl  ■  ■  ■  QmVm  •  •  •  ,f?o(fo,io)>  •  •  •  > 

where  ip  is  quantifier-free  and  the  sequence  in  square  brack¬ 
ets  shows  all  instances  of  atomic  formulae  in  ip  involving 
Rq,  . . . ,  Ri-i .  In  general,  the  sequences  of  terms  tj  p  de¬ 
pend  on  the  quantified  variables  yi,  -  ■ .  ,ym  as  well  as  the 
free  variables  x  of  pi,  but  I  will  not  display  these  variables 
explicitly.  Our  task  is  to  write  down  a  formula  pi{z,u,x) 
such  that 

1.  for  each  j  <  i,  pj{j,a,x)  is  equivalent  to 

2.  for  each  j  <  i,  pi{j,b,x)  is  equivalent  to 

-^Pi-i{j,a,x)\ 

3.  pi{i,a,x)  is  equivalent  to  the  displayed  formula 
above,  with  each  Rj{tj^p)  replaced  by  pi-i  (j,a,  fj,p); 

4.  pi{i,  b,  x)  is  equivalent  to  the  negation  of  the  formula 
just  described;  and 

5.  in  the  definition  of  pi,  Pi-i  is  used  only  once. 

In  order  to  do  3  and  4  simultaneously,  we  need  duplicate 
copies  of  some  of  the  variables  and  terms.  Let  Qj , . . . , 


denote  the  quantifiers  dual  to  Qi , . . . ,  Qm-  Pick  a  new  se¬ 
quence  of  variables  y[, ...  ,y'^,  and  let 

P  P  P  P 

<'0,01  •  ■  •  !  •  •  •  >  •  ■  ■  ) 

denote  the  sequences  of  terms  obtained  by  replacing  the 
yi,...,ymhyy[,...,y'^m  each^p.  Finally,  let 

Vo,0,  ■  ■  ■  ,VO,lo^  ■  ■  ■  jVi-ifi,  .  .  . 

be  sequences  of  new  variables.  We  will  use  the  variables 
Vj^p  to  represent  the  truth  values  of  pi-\ {j,  a,  tj^p),  the  vari¬ 
ables  Vjp  to  represent  the  truth  values  of  Pi-i{j,a,Pjp), 
and  the  variables  v'-  to  represent  the  truth  values  of 
Pi-i{j,  a,  x),  where  the  “truth  value”  is  a  if  the  correspond¬ 
ing  formula  is  true,  and  b  if  it  is  false. 

The  formula  Pi{z,  u,  x)  is  defined  to  be 

QlVl  ■  ■■Qmym  QWl  ■  ■■QmV'm  VF,F',-iT" 
[Eval[v,v'  ,v")  — > 

l\^{z  =  j  A  u  =  a  Vj  =  a)  A 
j<i 

l\{z  =■  j  Au  =  b  v"  ^  a)  A 
j<i 

{z  =  iAu  =  a^  =  a,...,  vo,io  =  a, 

.  .  .  ,  —  —  U,  .  .  .  5  —  u])  A 

{z  =  iAu  =  b-i  0  =  a, . . . ,  =  a, 

=«])) 

where  Eval{v,  fP ,  v")  is  the  formula 

Vr  Vs  e  {a,  6}  ViiT  (^Pi-i  (r,  s,  w)  — > 

/\  (r  =  j  A  w  =  X  — >•  v"  =  s)  A 
j<i 

A  /\ir  =  ]  Aw  =  tj,p  -)•  Vj^p  =  s)A 

j<i  p<lj 

A  A  ^  ^  ^  ^j,P  =  *))  • 

j<i  p<lj 

Here  Vs  €  {a,  6}  6  abbreviates  \ls  {s  =  aV  s  =  b  B). 
Note  that  Evaliy,  fp ,v")  also  depends  on  the  free  variables 
x,y,y'  (because  the  terms  tj^p  and  t'-  ^  do),  but  I  will  con¬ 
tinue  to  leave  these  variables  implicit. 

First,  let  us  check  that  each  pi{xi,u)  satisfies  the  right 
equivalences,  and  then  let  us  worry  about  the  length.  Induc¬ 
tively  we  know,  for  each  j  <  i  —  1,  that 

Vf  {pi-i{j,a,x)  ^  -<pi-i{j,b,x)) 
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is  provable  from  a  ^  b.We  can  use  this  to  show 

yx,y,if  3v,if,v"  Eval{v,v' ,v") 

as  well  as 

yx,y,y',v,'u',v"  (^Eval{v,v' ,v")  ->• 

f\{v'j  =  a  O  ipi_i{j,a,x))  A 

j<i 

A  A  =  a  •«->  ^i-iU,a.,tj^p))  A 

j<i  p<lj 

A  A  K'.p  =  “ 

j<i  p<lj 

But  then,  going  back  to  the  definition  of  tp,,  we  see  that 
for  j  <  i,  0i{j,a,x]  is  equivalent  to  ipi_i{j,a,  f),  and 
ipi{j,b,x)  is  equivalents  Also,  (pi{i,a,x) 

is  equivalent  to 

QlVl  •  •  •  Qinym^Pi^Pi  —  l  (0,  (I,  fo,o)j  •  •  •  ) 

— 1  —  l,o)i 

•  ■  •  -  1,  a,  ii-i, (,_,)] 

and  so  we  have 

(,5,-1  (t  -  l.a,,'?)//?,-!]; 
and  b,  x)  is  equivalent  to 

QlVl  ■  ■  ■  Q (0>  ^o.o)'  •  •  •  > 

iPi-l(0,  a,  pQiJ,  {i  -  1,0,  o), 

and  so  we  have 

ip,{i,b,x)  O  ^Lp,{x)[ipi^i{0,  n,  x) / Eo, . . . , 
as  required. 

As  far  as  length  is  concerned,  it  is  not  hard  to  check  that 
the  number  of  symbols  occurring  in  (fi  apart  from  the  in¬ 
stance  of  (,3,-1  can  be  bounded  by  a  polynomial  in  |d|  (in 
fact,  even  a  linear  one).  In  other  words,  there  is  a  polyno¬ 
mial  p  such  that  for  each  i  we  have  \(p,\  <  ;;(|f/|)  +  \<Pi-i  |, 
and  hence  |(^,|  <  (?'  -f  l)7)(|d|)  <  \d\p{\(l\).  Similarly,  it 
is  not  hard  to  find  polynomial  bounds  on  the  lengths  of  the 
proofs  of  the  needed  equivalences,  and  there  arc  only  poly- 
nomially  many  of  them. 

This  completes  the  proof  of  Theorem  2.2.  □ 

We  have  handled  the  case  where  there  arc  at  least  two 
elements  in  the  universe.  On  the  other  hand,  on  the  assump¬ 
tion  that  there  is  only  one  element  of  the  universe,  we  arc 
reduced  to  propositional  logic. 


Proposition  2.3  {Vi,?/  {x  =  y)}  has  efficient  elimina¬ 
tion  of  definitions  if  and  only  if  the  corresponding  assertion 
holds  for  propositional  logic. 

Proof  Assuming  'ix,y  (x  =  y),  every  atomic  formula 
R{ti , . . . ,  4)  is  equivalent  to  R{c,  ■  •  • ,  c),  where  c  is  the 
only  element  of  the  universe;  t\  =  t2  is  always  true;  and 
quantifiers  have  no  effect.  To  be  more  precise,  let  “the 
propositional  simplification  of  fi"  denote  the  result  of  delet¬ 
ing  all  the  quantifiers  in  Va  replacing  all  atomic  formulae 
R{tx,. . . ,  4)  by  a  propositional  variable  R,  and  replacing 
ti  =  <2  by  a  fixed  tautology.  Then  any  first-order  proof  of 
Vx,  y  (x  =  y)  tj)  can  be  translated  efficiently  to  a  propo¬ 
sitional  proof  of  the  propositional  simplification  of  and 
vice-versa.  □ 

This  implies  that  the  general  problem  of  eliminating  def¬ 
initions  from  proofs  in  pure  first-order  logic  is  as  hard  (and 
as  easy)  as  the  propositional  ca.se. 

Theorem  2.4  0  has  an  efficient  elimination  of  definitions  if 
and  only  if  the  corresponding  assertion  holds  for  proposi¬ 
tional  logic. 

Proof  It  is  a  straightforward  excrci.se  to  check  that  {</?  V 
V-’}  has  an  efficient  elimination  of  definitions  if  and  only 
if  {p}  and  {t,';}  both  do.  In  particular,  0  has  an  efficient 
elimination  of  definitions  if  and  only  if  {Vx,y  (x  =  y)} 
and  {3x,y  (x  ^  y)}  do.  □ 

As  a  corollary  of  Theorem  2.2,  we  have  that  one  can 
eliminate  from  standard  proof  systems  with  at  most 
a  polynomial  increase  in  proof  length.  For  propositional 
proof  systems  the  proof  (due  to  Reckhow,  using  a  method 
by  Spira;  sec  [9])  is  considerably  more  difficult. 

Corollary  2.5  With  any  of  the  standard  proof  systems  for 
first-order  logic  with  equality  given  in  [  15],  one  can  elimi¬ 
nate  the  propositional  connective  f-t-  with  at  most  a  polyno¬ 
mial  increase  in  proof  length. 

Proof.  By  Theorem  2.2,  it  suffices  to  show  that  one  can 
eliminate  <->•  efficiently  in  the  corresponding  proof  systems 
with  definitions.  Use  definitions  to  translate  formulae  in 
the  language  with  to  the  language  without:  translate 
p{ir)  O  fi{S)  to  {R^-{w)  ->  R^.Cz))A{R^,{^ 
where  Ro  and  Ri  arc  defined  to  be  equivalent  to  the  trans¬ 
lations  of  and  respectively.  By  induction  one  can  show 
that  each  axiom  and  rule  of  inference  can  then  be  simulated, 
with  polynomial  bounds  on  the  lengths.  □ 
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3  Eliminating  Skolem  functions 

The  following  is  the  analogue  of  Definition  2.1  for 
Skolem  functions. 

Definition  3.1  Let  V  be  a  set  of  first-order  sentences 
in  a  language  L.  Say  that  F  has  an  efficient  elim¬ 
ination  of  Skolem  functions  if  there  is  a  polyno¬ 
mial  p(x)  such  that  the  following  holds:  whenever 
/o(afo), . . . ,  fk{xk)  are  new  function  symbols  of  various  ar- 
ities,  >Po(xo,y),  -  ■  ■  ,Pk{xk,y)  are  formulae  such  that  each 
ifi  is  in  the  language  L  U  {/o, . . . ,  fi-i},  and  d  is  a  proof 
of  a  formula  ip  in  Lfrom 

ru  {Vfo,y  {V’oixo,y)  ->  ^{xo,  fo{xo))), . . . , 
^Xk,y  {ipk{xk,y)  ->  ‘Pixk,fk{xk)))}, 

then  there  is  a  proof  d'  of  ip  from  T  using  only  formulae  in 
L,  with  |(i'|  <  p(|cl|). 

Right  off  the  bat,  we  have  the  following. 

Proposition  3.2  {fx,y  (x  =  y)}  has  an  efficient  elimina¬ 
tion  of  Skolem  functions. 

Proof  Roughly  speaking,  if  c  is  the  only  element  of  the  uni¬ 
verse,  every  term  can  be  replaced  by  c.  □ 

By  way  of  motivation,  note  that  is  not  hard  to  show  that, 
say,  Zermelo-Fraenkel  set  theory  has  an  efficient  elimina¬ 
tion  of  Skolem  functions.  Argue  as  follows.  Suppose  d  is 
a  proof  of  a  formula  ip  from  the  axioms  of  ZF  and  some 
Skolem  functions.  Let  &  be  a  bound  on  the  complexity  of 
the  formulae  occurring  in  this  proof  In  ZF,  one  can  prove 
that  the  set  of  true  sentences  of  complexity  at  most  A:  -f-  1 
is  consistent,  and  hence  has  a  countable  model.  This  count¬ 
able  model  has  Skolem  functions,  which  can  then  be  used 
to  interpret  the  proof  d. 

This  example  suggests  that  one  way  to  proceed  is  to  try 
to  determine  how  little  one  can  get  away  with  in  carrying 
out  an  internal  semantic  argument  of  this  kind.  The  answer 
turns  out  to  be:  very  little. 

Definition  3.3  Say  a  set  of  sentences  T  codes  finite  func¬ 
tions  (efficiently)  if  for  each  n  there  are 

•  a  definable  element,  “0„ 

•  a  definable  relation,  “xq,  . . . ,  a:„_i  €  dom„{p)’’; 

•  a  definable  function,  “  evaln{p,xo, . . .  ,Xn-\)” ;  and 

•  a  definable  function,  “p  ©„  (xq,  . . . ,  x„_i  i->-  y)  ” 
such  that,  for  each  n,  F  proves 


•  X  ^  domfihn) 

•  w  G  dom{p  ©  (x  !->•  y))  -B-  (w  G  dom{p)  V  t?  =  x) 

•  evaln{p®n  (x  y),x)  -  y 

•  w  f^x  ^  evaln{pS)n  {x  y),w)  =  evaln{p,w), 

and  such  that  the  lengths  of  all  the  definitions  and  proofs 
are  bounded  by  a  polynomial  in  n. 

Of  course,  the  intuition  is  that  elements  of  the  universe  are 
assumed  to  code  finite  partial  functions  p;  0„  is  the  function 
that  is  nowhere  defined;  eua/„(p,  x)  returns  the  value  of  p 
at  x;  p  ©„  (x  y)  is  the  modification  of  p  which  maps 
X  to  p;  and  so  on.  One  could,  more  generally,  assume  that 
the  codes  are  elements  of  a  definable  set;  but  then  nothing  is 
lost  by  taking  the  other  elements  of  the  universe  to  code  the 
empty  function.  If  one  wants  polynomial-time  translations 
(and  not  just  bounds  on  the  lengths  of  proofs)  one  needs  to 
add  the  constraint  that  the  definitions  and  proofs  above  are 
polynomial-time  computable  in  n. 

These  requirements  are  not  strong  ones.  For  example, 
any  sequential  theory  of  arithmetic  (in  the  terminology  of 
[7,  9,  11])  codes  finite  functions,  since  one  can  take  such 
functions  to  be  sequences  of  tuples  (x,  p).  Below  I  will 
drop  the  subscripts  n  in  0„,  rfom„,  etc.  and  I  will  write  p(x) 
instead  of  eval{p,  x).  Clearly  it  does  not  hurt  to  assume  that 
all  these  are  actually  given  by  symbols  in  the  language. 

Theorem  3.4  Suppose  F  codes  finite  functions.  Then  F  has 
an  efficient  elimination  of  Skolem  functions. 

Proof  The  proof  will  occupy  most  of  the  remainder  of  this 
section.  By  Proposition  3.2  we  can  assume  that  there  are  at 
least  two  elements  in  the  universe,  and  so,  by  Theorem  2,2, 
we  can  use  definitions  freely.  By  way  of  exposition,  I  will 
first  focus  on  the  case  where  A;  =  0,  i.e.  there  is  only  one 
Skolem  function  to  eliminate.  (This  part  does  not  require 
definitions.)  Then  I  will  discuss  the  steps  necessary  to  elim¬ 
inate  multiple,  possibly  nested  instances  Skolem  functions. 
(This  is  the  part  that  requires  definitions.) 

Suppose  we  want  to  eliminate  the  use  of  a  single 
Skolem  function,  with  defining  axiom  Vx,  p  {p{x,  y)  -> 
(p{x,f{x))).  Let  Lf  denote  the  language  L  U  {/}.  I  will 
define  a  forcing  relation  in  L,  for  formulae  in  L/,  I  will  then 
show  that  F  proves  that  the  Skolem  axiom  is  forced;  and  that 
anything  in  the  original  language  is  forced  if  and  only  if  it  is 
true.  Given  a  proof  dofip  from  F  together  with  the  Skolem 
axiom,  then,  F  proves  that  ip  is  forced,  and  hence  true. 

Now  for  the  details.  Let  the  formula  Cond{p)  in  the  lan¬ 
guage  L  assert  that  p  is  a  finite  approximation  to  a  Skolem 
function  for  p,  that  is, 

Vx  G  dom{p)  Vy  (<p(x,p)  ->  p(x,/(x))). 
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Let  f  be  a  term  in  L/,  and  let  p  be  a  variable  not  occurring 
in  t.  Inductively  we  will  define  a  term  in  the  language 
of  L,  whose  free  variables  are  those  of  t  together  with  p. 
Intuitively,  is  the  value  of  t,  when  /  is  interpreted  by  p. 
At  the  same  time,  we  will  define  a  relation  is  defined,” 
asserting  that  the  value  of  makes  sense.  Let 

•  =  X,  for  each  variable  x  (other  than  p), 

•  =  5(^01- for  each  function 
symbol  g  of  L,  and 

Define  is  defined”  inductively  as  follows: 

•  "x'P  is  defined”  is  always  true. 

•  “(.<7(f0)  •  •  •  1  ^m))^  is  defined,”  where  g  is  a  function 
symbol  of  L,  is  true  if  and  only  if  fg, . . . ,  are  all 
defined. 

•  “(/(^o,  ■  •  • ,  is  defined”  is  true  if  and  only  if 
(g, . . . ,  ff,  are  all  defined  and  tg, . . . ,  G  dom(p). 

If  p  and  q  are  conditions,  say  p  :<  q,  “p  is  stronger  than  or 
equal  to  q”,  if  p  extends  q  asa  function: 

(.'?  G  dom{q)  -4x6  dom{p)  A  p{x)  =  q{x)). 

Now  we  can  define  the  relation  p  \\-  0  inductively.  We  can 
assume  that  the  language  has  connectives  A,  — V,  and 
with  3  and  V  defined  from  these  in  the  usual  way. 

1 .  p  Ih  R{to, . t,n)  if  and  only  if  ^q  :<  p  ■<  q 

arc  all  defined  and  R{t^, . . . 

2.  p\\-  9  Aji  it'  and  only  if  p  lb  6*  and  p  Ih  r/. 

3.  p  Ih  6*  -4  p  if  and  only  if  Vp  p  (<7  Ih  0  -4  r/  Ih  ?/). 

4.  p  II — 10  if  and  only  if  V(7  p  <7  1/  0. 

5.  p  Ih  V.r  0  if  and  only  if  V.r  p  Ih  0. 

The  quantifiers  involving  q  and  r  above  are  intended  to 
range  over  conditions;  so,  for  example,  '0q  ^  p  •  ■  •  ab¬ 
breviates  'iq  {Cond{q)  A  </  :<  p  ->  . . .).  For  each  0,  the 
relation  /j  Ih  0  is  a  formula  in  the  language  of  L  whose  free 
variables  are  those  of  61  together  with  p.  Note  that  the  length 
of  p  Ih  0  can  be  bounded  by  a  polynomial  in  |0|  (as  well  as 
in  |(p|,  which  is  being  held  fixed  for  the  moment). 

The  phrase  "0  is  forced”  and  the  notation  Ih  0  abbrevi¬ 
ate  V/J  {Cond{p)  ->  p  Ih  0).  In  the  lemmata  that  follow, 
p,q,r  . . .  arc  assumed  to  range  over  conditions.  Most  of 
the  proofs  arc  routine  and  standard,  modulo  the  additional 
notes  provided  below.  It  is  important  to  recognize  that  the 
lengths  of  all  the  proofs  alluded  to  in  the  statement  of  the 
lemmata  can  be  bounded  by  a  polynomial  in  the  length  of 
the  assertion  being  proved,  but  having  stated  this  up  front,  I 
will  not  bother  to  repeat  it  each  time. 


Lemma  3.5  (monotonicity)  For  each  forntula  0  of  Lj,  L 
proves 

p  \\-  0  A  q  p  q  \\-  0. 

Lemma  3.6  For  each  formula  0  of  L  j,  F  proves 
p  l\-  0  ^  \/q  f.  p  3r  q  r  \t-  0. 

Corollary  3.7  For  each  formula  0  ofLf,  F  proves 
p  Ih  [0  f4  -1-10). 

Lemma  3.8  For  any  term  f  of  Lj,  F  proves 
fq  3r  -<  q  {F  is  defined). 

Proof.  Use  induction  on  the  term  t.  The  only  interesting 
ca.se  is  where  t  is  of  the  form  /(.sg, . . . ,  .sa  ).  By  the  induc¬ 
tion  hypothesis,  we  can  find  an  r'  q  such  that  .Sq  , ... ,  .s[. 
arc  all  defined.  If  .Sg  , . . . ,  .s][.  G  dom{r'),  take  r  =  r'.  Oth¬ 
erwise.  if  3;v  fil' ,  y).  let  r  =  r'  (D  (.s^' , . . . ,  .s[,'  h4 

y),  for  any  such  y;  and  if  Vy  -^p{s'q  , . . . ,  ,  y),  let  r  = 

f'  ©  (•‘*0  1  •  •  •  1  •‘’A*  !/)•  V  ^1  3"- 

The  next  two  lemmata  arc  proved  by  induction  on  .s  and 
0,  respectively. 

Lemma  3.9  If  t  and  .s(.t)  arc  any  terms  of  Lj,  F  proves 
F  =  z  ^  {.s{l)r>  =  .s(z)") 

Lemma  3.10  lf0[.r)  is  any  formula  ofL  j  and  t  is  any  term 
of  Lj  then  F  proves 

{F  is  defined  A  F  =  z)  ^  {p  Ih  0{t)  <4  p  Ih  0{z)). 

Lemma  3.11  For  each  formula  0  of  Lf,  if0  is  provable  in 
classical  first-order  logic,  then  F  proves  Ih  0. 

Proof.  The  proof  is  for  the  most  part  standard  and  routine, 
though  one  has  to  be  a  little  bit  careful  with  the  quantifier 
axioms  and  rules  since  terms  might  not  always  be  “defined.” 
To  show  V.r  0{.t:)  -4  0{t)  is  forced,  let  us  argue  in  lirst- 
ordcr  logic  from  assumptions  in  F.  Suppose  p  Ih  V.r  0{x). 
By  Lemma  3.6  it  suffices  to  show  Vy  p  3r  ■<  q  0{t).  So 
suppose  q  ■<  p.  and  by  Lemma  3.8  let  r  f.  q  be  such  that  F 
is  defined.  Let  c  =  6''.  By  monotonicity,  r  Ih  V.r  0(.r),  so 
r  Ih  0{z).  By  Lemma  3. 10,  r  Ih  0{f).  □ 

A  formula  in  the  original  language  is  forced  if  and  only 
if  it  is  true. 

Lemma  3.12  For  each  formula  0  of  L.  F  proves  {p\\-  0)  <4 
0. 
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Proof.  Induction  on  6. 


□ 

The  next  lemma  is  the  important  one:  it  asserts  that  the 
Skolem  axiom  is  forced. 

Lemma  3.13  F  proves  Ih  Vi,  y  (y3(f ,  y)  ->  ip{x,  f{x))). 

Proof  Once  again,  argue  in  first-order  logic,  from  F.  Sup¬ 
pose  for  some  f,  y  we  haveplh  (p{x,y).  ByLemma3.12, 
(p{x,y).  By  Lemma  3.6,  it  suffices  to  show  \/q  :<  p  3r  < 
q  q  (p{x,f{x)),  so  suppose  q  <  p.  If  x  e  dom{q),  the 
fact  that  g  is  a  condition  guarantees  'p{x,  /(f)),  and  we  can 
take  r  =  g;  otherwise,  take  r  =  g  0  (f  y).  Either  way, 
as  above,  we  have  r  Ih  (p{x,  /(f)),  as  required.  □ 

Proof  of  Theorem  3.4,  for  a  single  Skolem  function  f.  Sup¬ 
pose  there  is  a  proof  d  of  a  formula  ip  in  the  language  L 
from  finitely  many  sentences  in  F  U  {Vf,y  {ip{x,y)  -> 
(p{x,  f{x)))}.  By  Lemma  3.11,  F  proves  that  this  impli¬ 
cation  is  forced.  By  Lemmata  3.12  and  3.13,  F  proves  that 
all  the  hypotheses  are  forced,  so  F  proves  that  ip  is  forced 
as  well.  By  Lemma  3.12,  F  proves  ip. 

Since  each  the  length  of  each  component  of  the  deriva¬ 
tion  just  described  can  be  bounded  by  a  polynomial  in  |d|, 
so  can  the  entire  proof.  □ 

To  extend  the  proof  to  arbitrary  nested  definitions  of 
Skolem  functions,  we  need  to  iterate  the  forcing  definition. 
A  similar  iteration  was  used  in  [2];  the  situation  here  is  eas¬ 
ier,  since  we  only  have  to  deal  with  finite  iterations. 

Let  d,  /o, . . . ,  /fc,  v^o, . . . ,  be  as  in  Definition  3.1.  For 
each  i  <  k,  we  will  define  the  notion  of  an  f-condition, 
an  ordering  on  i-conditions,  and  a  forcing  relation 
Ihj  between  f-conditions  and  formulae  6  in  the  language 
L  U  {/o, . . .  ,/i}.  An  i-condition  consists  of  a  sequence 
po, ...  ,Pi  of  finite  functions,  with  arities  corresponding  to 
those  of  fo,...,fi.  As  expected,  po,  •••  fn  qo,---,qi 
means  that  each  pj  extends  qj,  as  above. 

The  notions  Condi  and  Ih^  are  defined  simultaneously, 
by  recursion  on  i.  Condo{p)  and  p  Iho  d  are  defined  as 
above,  in  the  case  where  there  is  only  one  Skolem  function. 
Assuming  Condi  and  11-^  have  been  defined,  the  relation 
Condi+i  {po, ... , pi+i )  is  defined  by 

Condi{po, . .  .,pi)  Apo,  •  •  ■,Pi  Ifj  Vfi+i,y 

(xi+i  e  dom{pi+i)  Ap{xi+i,y)  ->  g?(fi+i ,p(f))). 

In  the  atomic  case,  assuming  to,. .  .,tm  are  terms  in  the  lan¬ 
guage  of  Lu{/o, . . . ,  /i+i },  the  relation  Po, . . .  ,Pi+i  H-j+i 
A{to, . . . ,  tm)  is  defined  by 

^q  <  p3f  A  q  {Cq,  . . .  are  defined  and  A(f5, . . .  ,f^)). 

The  forcing  relation  is  then  extended  to  arbitrary  formulae 
in  the  language  as  above.  Notice  that  the  relation  Ihj  is  used 


in  the  definition  of  Condi+i,  which  is  in  turn  used  to  de¬ 
fine  ll-j+i .  By  introducing  new  relation  symbols  to  repre¬ 
sent  the  definitions  of  Condo,  ■ . . ,  Condk,  we  can  bound 
the  lengths  of  all  the  formulae  involved  by  a  polynomial. 

Lemma  3.14  For  each  i  <  k,  Lemmata  3.5-3.]  1  hold  for 
i-conditions,  <i,  and  11-^. 

Lemma  3.15  For  each  i  <  k,  if  9  is  in  the  language  L  U 
{/o, . . . ,  fi},  then  F  proves  the  following: 

Po,---,Pk  Iffc  9  t->po,...,Pi  Ihi  9. 

Lemma  3.16  For  each  i  <  k,T  proves  that  the  ith  Skolem 
axiom  is  k-forced. 

Once  again,  the  lengths  of  the  relevant  proofs  can  be 
bounded  by  a  polynomial  in  |d|.  The  proof  of  Theorem  3.4 
now  follows  exactly  as  in  the  case  of  a  single  Skolem  func¬ 
tion.  □ 


If  a  and  b  are  distinct  and  /  is  a  Skolem  function  for 
((p(x)  A  y  =  o)  V  {^p{x)  Ay  =  b),  then  f{x)  =  a  serves 
as  a  definition  for  (p(f).  As  a  corollary  to  Theorem  3.4  we 
have  the  following: 

Corollary  3.17  Suppose  F  codes  finite  functions  and 
proves  3a:,  y  {x  y).  Then  one  can  eliminate  arbitrary 
nested  instances  of  definitions  and  Skolem  functions  from 
proofs  in  F,  with  a  polynomial  bound  on  the  increase  in  the 
lengths  of  proofs. 

4  Questions 

In  standard  terminology  (e.g.  [9,  1 1]),  Section  2  shows 
that  one  can  eliminate  definitions  from  proofs  in  first-order 
logic  in  polynomial  time  if  and  only  if  extended  Frege  sys¬ 
tems  for  propositional  logic  can  be  p-simulated  by  Frege 
systems.  Of  course,  whether  or  not  this  is  the  case  is  still  a 
major  open  question.  Section  2  shows  that  Theorem  2.2  and 
Corollary  2.5  hold  for  first-order  logic  with  equality.  What 
can  one  say  in  the  absence  of  equality? 

It  is  also  still  open  as  to  whether  one  can  efficiently  elim¬ 
inate  even  a  single  Skolem  function  from  proofs  in  pure 
logic,  or  from  theories  that  do  not  code  finite  functions. 

The  elimination  of  definitions  in  Section  2  used  the  law 
of  the  excluded  middle.  As  a  result,  it  is  open  as  to  whether 
one  has  an  efficient  elimination  of  definitions  in  intuitionis- 
tic  first-order  logic.  (See  also  [  1 2]  for  a  discussion  of  choice 
functions  in  the  intuitionistic  setting.) 

This  work  has  been  partially  supported  by  NSF  grant  DMS 
0070600. 1  am  grateful  to  Samuel  Buss  for  advice  and  sug¬ 
gestions. 
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Abstract 

The  guarded  fragment  with  transitive  guards, 
[GF+TG],  is  an  extension  of  GF  in  which  certain  re¬ 
lations  are  required  to  be  transitive,  transitive  predi¬ 
cate  letters  appear  only  in  guards  of  the  quantifiers  and 
the  equality  symbol  may  appear  everywhere.  We  prove 
that  the  decision  problem  for  [GF+TG]  is  decidable. 
This  answers  the  question  posed  in  [11].  Moreover, 
we  show  that  the  problem  is  2EXPTIME-compZete. 
This  result  is  optimal  since  satisfiability  problem  for 
GF  is  2EXPTIME-compZete  [12].  We  also  show  that 
the  satisfiability  problem  for  two-variable  [GF+TG] 
is  NEXPTIME-hard  in  contrast  to  GF  with  bounded 
number  of  variables  for  which  the  satisfiability  problem 
is  FXPTlMF-complete. 


1  Introduction 

Modal  logic,  that  in  medieval  times  was  studied  by 
philosophers,  in  the  last  decades  became  a  subject  of 
interest  for  computer  scientists.  Modal  logic  has  ap¬ 
plications  in  many  areas  of  computer  science  includ¬ 
ing  artificial  intelligence  [5,  21],  program  verification 
[8,  24,  23],  database  theory  [7,  20]  and  distributed  com¬ 
puting  [6,  16]. 

Propositional  modal  logic  possesses  useful  model- 
theoretic  and  good  algorithmic  properties,  like  finite 
axiomability,  Craig  interpolation,  Beth  definability  and 
decidability  for  validity.  The  tractability  of  modal  logic 
was  partially  explained  when  D.  Gabbay  [10]  showed 
that  modal  logic  can  be  embedded  in  FO^,  the  fragment 
of  first  order  logic  with  two  variables,  that  is  decid¬ 
able.  The  decidability  of  FO^  was  studied  by  D.  Scott 
[25]  who  proved  that  the  satisfiability  problem  for  FO^ 
without  equality  is  decidable,  by  M.  Mortimer  [22]  who 
proved  that  FO^  with  equality  has  a  finite  model  prop- 

*This  research  was  supported  by  KBN  grant  2  P03A  018  18 


erty,  and  by  E.  Gradel,  Ph.  Kolaitis  and  M.  Vardi  [13] 
who  proved  the  exponential  model  property  for  FO^. 
The  last  result  together  with  the  result  by  H.  Lewis 
[19]  implies  that  the  satisfiability  problem  for  FO^  is 
NEXPTIME-complete. 

F02  can  be  used  as  a  representative  language  also 
for  a  number  of  knowledge  representation  logics  (de¬ 
scription  logics)  [2].  Moreover,  many  extensions  of 
modal  logics  that  are  not  fragments  of  FO^  can  easily 
be  embedded  in  some  extensions  of  FO^ ,  for  example, 
CTL  and  the  p-calculus  can  be  treated  as  FO^  with  a 
fixed-point  operator  [28]  and  many  powerful  variants 
of  the  description  logics  can  be  embedded  in  C^,  the 
extension  of  FO^  with  counting  quantifiers,  or  in 
with  transitivity  [4]. 

Although  the  translation  of  modal  logic  to  FO^  ex¬ 
plains  some  good  properties  of  modal  logic,  it  does  not 
work  in  the  same  way  for  distinct  extensions  of  modal 
logic.  In  particular,  CTL  has  an  EXPTIME-complete 
validity  problem  but  FO^  with  a  fixed-point  operator 
was  shown  to  be  undecidable  [14].  Similarly,  Immer- 
man  and  Vardi  proved  [17]  that  CTL  can  be  embedded 
in  FO^  with  a  transitive  closure  operator  that  is  again 
undecidable.  In  addition,  FO^  has  a  very  poor  proof 
theory  so  it  cannot  be  seen  as  a  natural  fragment  of 
predicate  logic  extending  modal  logic  and  capturing 
all  nice  properties  of  modal  logic.  The  model  theoretic 
reason  for  the  nice  behavior  of  modal  logic  was  recently 
given  in  [28]  where  Vardi  answers  the  explicitly  asked 
question  ’Why  is  modal  logic  so  robustly  decidable?’ 

The  guarded  fragment.  In  1996,  H.  Andieka, 
J.  van  Benthem  and  1.  Nemeti  [1]  introduced  the 
guarded  fragment  of  first-order  logic,  GF,  in  order  to  ex¬ 
plain  and  generalize  the  good  properties  of  modal  logic. 
GF  consists  of  first-order  formulas  where  all  quantifiers 
are  appropriately  relativized  by  atoms  but  neither  the 
pattern  of  alternations  of  quantifiers  nor  the  number 
of  variables  is  restricted.  Andreka  et  al.  showed  that 
modal  logic  can  be  embedded  in  GF  and  they  argued 
convincingly  that  GF  inherits  the  nice  properties  of 
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modal  logic.  The  nice  behavior  of  GF  was  confirmed 
by  Gradel  [12]  who  proved  that  the  satisfiability  prob¬ 
lem  for  GF  is  complete  for  double  exponential  time 
and  complete  for  exponential  time,  when  the  number 
of  variables  is  bounded. 

In  order  to  express  certain  properties  of  temporal 
logic,  GF  was  later  generalized  by  van  Benthem  [27]  to 
the  loosebj  guarded  fragment,  LGF,  where  all  quanti¬ 
fiers  are  relativized  by  conjunctions  of  atoms.  Most  of 
the  properties  of  GF  generalize  to  LGF. 

In  [28]  Vardi  argued  that  one  of  the  main  reasons 
for  the  nice  behavior  of  modal  logics  is  the  tree  model 
property.  It  was  proved  [12]  that  both  GF  and  LGF 
also  have  a  tree-model  property  analogous  to  the  tree- 
model  property  for  modal  logic;  in  addition,  GF  has 
the  finite  model  property.  So,  having  proved  several 
good  properties  of  the  guarded  fragment  one  could  ex¬ 
pect  that  the  same  will  hold  for  some  extensions  of 
GF,  similarily  to  the  basic,  modal  logic  that  remains 
decidable  and  of  fairly  low  complexity  under  the  ad¬ 
dition  of  a  variety  of  operators  and  features,  such  as 
counting  modalities,  transitive  closure  modalities  and 
conditions  on  the  accessibility  relation.  In  [15]  Gradel 
and  Walukiewicz  proved  that  extending  GF  with  fixed 
point  operators  one  gets  still  a  decidable  logic.  More¬ 
over,  they  proved  that  the  satisfiability  problem  for  GF 
with  fixed  points  can  be  decided  in  the  same  time  as 
for  pure  GF.  The  same  is  true  for  GF  with  bounded 
number  of  variables. 

The  transitivity  constraints.  The  extension  of 
the  guarded  fragment  by  transitivity  seems  to  be  a  nat¬ 
ural  representative  language  e.g.  for  multi-modal  logics 
of  type  K4,  S4  or  S5.  These  multi-modal  logics  are  used 
to  formalize  epistemic  logics  [9].  Unfortunately,  Gradel 
[12]  proved  that 

•  GF^,  the  three- variable  fragment  of  GF,  with  tran¬ 
sitive  relations  (or  with  counting  quantifiers)  is  un- 
decidable. 

The  three-variable  guarded  fragment  may  be  too 
strong  to  represent  modal  logics,  since,  as  it  is  men¬ 
tioned  at  the  begining,  two  variables  suffice.  How¬ 
ever,  in  [11],  besides  other  results,  H.  Ganzinger,  C. 
Meyer  and  M.  Veanes  improved  the  result  by  Gradel 
[12]  showing  that  even 

•  GF^  with  transitive  relations  and  without  equality 
is  undccidable. 

In  [11]  Ganzinger  et  al.  studied  decidability  issues  for 
the  extension  of  GF  with  transitivity  constraints  and 
they  proposed  a  logic  that  is  an  extension  of  GF  in 
which  transitive  predicate  letters  appear  only  in  guards 


of  the  quantifiers  whereas  non-transitive  predicates  and 
the  equality  symbol  may  appear  everywhere.  In  this 
paper  we  denote  it  by  [GF-I-TG]  and  we  call  it  the 
guarded  fragment  with  transitive  guards.  [GF-I-TG]  is 
powerfull  enough  to  be  used  as  a  representative  lan¬ 
guage  for  multi-modal  logics  of  type  K4,  S4  or  S5,  since 
when  encoding  them  in  the  first  order  logic  the  predi¬ 
cate  letters  corresponding  to  accessibility  relations  oc¬ 
cur  only  in  guards.  By  [GF“-|-TG]  we  denote  the 
two- variable  fragment  of  [GF-I-TG]  and  by  monadic- 
[GF'--pTGj  -  the  fragment  of  [GF--fTG]  in  which  all 
non-unary  predicate  letters  may  appear  in  guards  only. 
Ganzinger  et  al.  [lljgave  a  nice  proof  of  theorem  that 

•  monadic-[GF^-|-TG]  is  decidable, 
and  they  asked  the  following  two  questions: 

1.  What  is  the  complexity  of  monadic-[GF"+TG]? 
(The  proof  in  [11]  procec'ds  through  a  reduction  to 
the  monadic  theory  of  a  tree,  SkS,  and  hence  no 
special  complexity  bound  has  been  given  there.) 

2.  Is  satisfiability  of  the  full  [GF-I-TG]  decidable? 

This  paper.  We  prove  that  the  satisfiability  of 
[GF-I-TG]  can  be  derided  in  deterministic  double  ex¬ 
ponential  time.  Since  [GF-I-TG]  is  an  extension  of 
GF  we  immediately  get  that  [GF-I-TG]  is  2EXPTIME- 
complete.  So,  similarly  to  GF  with  fixed  point  opera¬ 
tors,  we  do  not  have  to  pay  more  for  adding  transitive 
guards  and  this  makes  [GF-fTG]  the  right  counterpart 
of  certain  extensions  of  modal  logics. 

We  also  prove  that  the  satisfiability  problem  for 
monadic-[GF-+TG]  with  equality  is  hard  for  nonde- 
terministic  exponential  time.  This  is  proved  by  a  re¬ 
duction  of  FO"-sentences  to  [GF“-l-TG]-sentcnces  that 
preserves  satisfiability.  This  redviction  is  based  on  an 
observation  that  in  monadic-[GF"-f TG]  we  are  able 
to  define  cliques  that  are  big  enough  to  enclose  mod¬ 
els  for  FO“-sentences.  Then  NEXPTIME-hardness  of 
[GF'--I-TG]  follows  from  NEXPTIME-hardness  of  FOU 
This  result  has  been  recently  im])roved  by  E.  Kierohski 
[18]  who  showed  that  monadic-[GF“-|-TG]  even  with¬ 
out  equality,  is  hard  for  EXPSP.4CE.  These  results  are 
rather  surprising  since  both  GF  and  GF  with  fixed 
point  operators  when  restricted  to  bounded  number  of 
variables  are  EXPTIME-cornplete  and  as  we  show  in 
the  main  part  of  the  paper  the  complexity  for  the  full 
[GF-fTG]  is  exactly  the  same  as  for  GF. 

It  is  worth  noticing  that  [GF-fTG]  and  [GF’-fTG] 
are  strictly  more  expressive  than  the  monadic  sub¬ 
class.  As  an  example  of  a  [GF"-fTG]-sentence  that 
cannot  be  expressed  in  monadic-[GF--f TG]  one  can 
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take  the  sentence  defining  cliques  since,  as  we  observed 
in  [26],  every  satisfiable  monadic- [GF^+TG]  sentence 
has  a  model  without  symmetric  edges. 

The  proof  of  the  decidability  is  very  technical.  To 
obtain  the  decision  procedures  we  apply  new  tech¬ 
niques  inspired  by  the  standard  methods  of  modal  logic 
that  were  used  for  establishing  positive  results  for  GF 
and  its  extensions,  namely  the  tree-model  property  and 
bisimulation. 

As  the  first  step  we  observe  that  the  size  of  cliques 
of  elements  connected  with  transitive  relations  in  mod¬ 
els  of  [GF-f  TG]-sentences  can  be  bounded.  Using  this 
observation,  we  define  ramified  structures  that  have 
cliques  of  exponential  size  (with  respect  to  the  signa¬ 
ture),  and  that  have  only  disjoint  transitive  paths  for 
distinct  transitive  predicate  letters.  Then,  for  a  fixed 
element  a  of  a  ramified  structure,  we  define  a  flower 
that  contains  information  about  the  cliques  of  the  ele¬ 
ment  a  and  the  colors  of  elements  connected  with  a  by 
non-symmetric  edges. 

As  the  next  step  we  observe  that  the  set  of  flowers 
realized  in  a  ramified  model  for  a  [GF-l-TG]-  sentence 
satisfies  some  properties,  for  example,  if  two  distinct 
elements  are  connected  with  a  non-symmetric,  tran¬ 
sitive  predicate,  then  every  color  connected  with  the 
first  element  has  to  be  connected  with  the  second  one. 
We  collect  several  such  properties  in  the  definition  of 
a  special  set  of  flowers  named  a  carpet  and  we  show 
that  these  properties  are  necessary  and  sufficient  for 
existence  of  a  model  for  a  [GF-|-TG]-sentence.  In  the 
proofs  we  do  not  construct  models  that  explicitly  pos¬ 
sess  the  tree-model  property  but  the  models  are  ’’tree- 
controlled:”  during  the  construction  every  element  is 
added  as  a  child  of  an  element  on  a  fixed  level  of  a 
tree.  The  proof  that  a  (ramified)  structure  is  a  model 
for  a  [GF-|-TG]-sentence  can  be  seen  as  an  application 
of  bisimulation  but  where  at  every  moment  we  need  to 
care  about  a  big  set  of  cliques  of  elements  that  lay  on 
one  transitive  path. 

The  final  step  is  based  on  the  facts  that  the  size  of 
a  flower  is  exponential  and  the  number  of  all  flowers  is 
double  exponential,  and  this  allows  us  to  build  an  al¬ 
ternating  test  for  satisfiability  for  [GF-l-TG]-sentences 
that  uses  exponential  space. 

2  Preliminaries 

By  FO*  we  denote  the  class  of  first  order  sen¬ 
tences  with  k  variables  over  a  relational  signature.  The 
guarded  fragment,  GF,  of  first-order  logic  with  no  func¬ 
tion  symbols  of  arity  greater  than  0,  is  defined  as  the 
least  set  of  formulas  such  that 

(1)  every  atomic  formula  belongs  to  GF, 


(2)  GF  is  closed  under  logical  connectives  -',V,A,-^, 

(3)  if  X,  y  are  tuples  of  variables,  a(x,y)  is  atomic 
and  V’(x,  y)  is  a  formula  of  GF  with  free  variables 
contained  in  {x,y},  then  the  formulas 

Vya(x,y)  ^  V’(x,y), 

3ya(x,y)  Ai/>(x,y) 

belong  to  GF. 

The  atom  Q(x,y)  in  the  above  formulas  is  called  the 
guard  of  the  quantifier. 

In  this  paper  we  admit  conditions  stating  that  some 
binary  predicate  T  is  transitive,  we  express  these  condi¬ 
tions  by  ”T  is  transitive”  and  we  let  Trans[Ti, . . . ,  Tm] 
stand  for  the  condition  that  each  Ti  is  transitive.  In 
this  case  we  also  say  that  T  is  a  transitive  predicate  let¬ 
ter.  Denote  by  [GF-fTG]  the  set  of  sentences  contained 
in  GF  with  all  transitive  predicate  letters  appearing  in 
guards  only  and  where  the  equality  symbol  can  appear 
everywhere  and  let  [GF*-|-TG]=FO*’n[GF-f  TG]. 

Let  (T  be  a  relational  signature.  If  x  is  a  sequence  of 
variables  (a;i, . . .  ,Xk),  then  a  k-type  t{x)  is  a  maximal 
consistent  set  of  atomic  and  negated  atomic  formulas 
over  a  in  the  variables  of  x.  A  type  t  is  often  identified 
with  the  conjunction  of  formulas  in  t.  If  not  stated 
otherwise,  1-types  are  types  of  the  variable  x  and  2- 
types  are  types  of  the  variables  x  and  y. 

Let  fifx.)  be  a  quantifier-free  formula  in  the  variables 
of  X.  We  say  that  a  type  t  satisfies  ^  if  ^  is  true  under 
the  truth  assignment  that  assigns  true  to  an  atomic 
formula  precisely  when  it  is  a  member  of  t  and  this  is 
denoted  hy  t  ^  tp. 

A  F-type  s  is  a  reduction  of  an  m-type  t,  if  there 
exists  a  substitution  p  :  {1,...,A;}  {1,..,, m]  such 

that  t{xi,..  .,Xm)  1=  s{xp(i),. .  .,Xp(i,)).  A  fc-f  l-type  t 
extends  a  fc-type  s  if  s  C  t  and  a  A;  -I-  1-type  t  properly 
extends  a  Ac-type  s  if  t  extends  s  and  for  every  i  <  k,  t 
contains  the  formula  Xi  ^  x^+i  ■ 

If  21  is  a  cr-structure  with  the  universe  A,  and  if 
a  e  A*’,  then  we  denote  by  tp®(a)  the  unique  Ac-type 
realized  by  a  in  21.  If  B  C  A  then  21  [B  denotes  the 
substructure  of  21  restricted  to  the  universe  B. 

If  21  and  03  are  cr-structures,  a  E  A  and  b  E  B 
then, we  write  (21, a)  =  (03,6)  to  say  that  there  is  an 
isomorphism  /  of  the  structures  21  and  03  such  that 
/(a)  =  b. 

3  The  normal  form 

In  [12]  Gradel  showed  a  reduction  that  transforms 
each  GF-sentence  to  a  sentence  in  normal  form  that 
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preserves  satisfiability.  In  this  section  we  show  a  sim¬ 
ilar  reduction  that  additionally  keeps  the  number  of 
variables  and  the  arity  of  predicate  letters  of  the  input 
sentence. 

Definition  3.1  A  [GY ^AG]- sentence  A  is  in  normal 
form  iff  it  is  a  conjunction  of  sentences  of  the  following 
form: 

(nl)  3x{a{x)  Aij>{x)), 

(n2)  Vx(q(x)  3y(/3(x,  y)  A  ?/;(x,  y))), 

(n3)  Vx(q(x)  ->  ?/)(x)), 

where  y  fl  x  =  0,  a  and  ft  are  atomic  formulas,  tj)  is 
quantifier-free  and  it  contains  no  transitive  predicate 
letter. 

We  have  the  following  lemma. 

Lemma  3.2  With  every  [GF*'+TG]-senfence  F  of  the 
length  n  over  a  signature  t  one  can  effectively  associate 
a  set  A  of  [GF'^'+TG]-seniences  in  normal  form  over 
an  extended  .signature  a,  A  =  { Ai , . . . ,  Arf},  such  that 

(1)  F  is  satisfiable  if  and  only  if\/^^^Ai  is  satisfinhle, 

(2)  d  <  0(2")  and  for  every  i  <  d,  |A,|  =  O(nlogn), 

(3)  A  can  be  computed  deterministically  tn  exponen¬ 
tial  tim.e  and  every  sentence  A,  can  be  computed 
in  pobjnom.ial  time  with  respect  to  n. 

4  An  example 

In  this  section  we  give  an  example  of  a  sentence  in 
[GF^+TG]  defining  cliques.  Hence  the  class  [GF"-I-TG] 
is  strictly  more  expressive  than  GF  and  monadic- 
[GF'-f-TG]  since,  as  we  observed  in  [2G],  every  satisfi¬ 
able  monadic-[GF“-l-TG]-sentence  has  a  model  without 
symmetric  edges. 

Let  cr{k)  ~  {T,  [/i, . . . ,  Lh-},  where  T  is  a  transitive 
predicate  letter  and  {/;  are  unary  predicate  letters  and 
let  F(A:)  be  the  conjunction  of  the  following  clauses. 

(el)  y.r3y  {T{x,y)  A  f^:^,Ui{y)), 

(e2)  y.r3y  {T{y,x)  A 

(e3)  V.T,?/  T{x,y)  -A  {\/'i^i{Ui{x)  o  -.[/,■(;(/))  V .x  =  y), 
(e4)  Tran.s[T]. 


Note  that  r(^’)  is  a  GF-sentence  since  every  sentence 
of  the  form:  V.r3y(a(x,y)  Af>{x,y))  can  be  written  as 
Vx((x  =  x)  3y(a(x,y)  Af!{x,y))).  One  can  check 
that  r(fc)  is  satisfiable  and  in  every  model  for  Y{k),  T 
is  an  equivalence  relation  with  equivalence  classes  of 
cardinality  bounded  by  2^'. 

In  [13]  Gradel,  Kolaitis  and  Vardi  prove  that  FO^ 
has  the  exponential  model  property:  there  is  a  con¬ 
stant  c  such  that  every  satisfiable  FO^-sentence  $  has 
a  model  of  cardinality  at  most 

Let  iF  he  a  FO^-sentence  over  a  signature  r  in  Scott’s 
form  Vx,y  (f>{x,y)  A  f\.'ix3y  (f>i[x,y),  where  (j){x,y)  and 
(j>i{x,  y)  are  quantifier-free.  Let  T  be  a  new  binary  pred¬ 
icate  letter  and  let  be  the  following  sentence: 

\/x,y  {T{x,y)  ->  (f){x,y))  A  /\Wx3y  {T[x,\y)  A(f)i{x,y)). 

i 

Define  the  sentence  over  the  signature  a  —  TUa{k): 
^  =  4'  A  r(A:),  where  k  =  c  ■  |$|  and  c  is  given  by  the 
exponential  model  property  for  FO^.  We  have 

(1)  is  satisfiable  if  and  only  if  $  is  satisfiable, 

(2)  =  0(|$|  log(|$|))  and  5'  is  computable  in  poly¬ 
nomial  time  with  respect  to  |$|, 

So,  wo  have  proved: 

Theorem  4.1  S.4T([GF2-hTG])  /.s  NEXPTIME-/iard. 

5  The  two-variable  case 

In  this  section  we  are  concerned  with  the  signature 
a  =  {f/j , . . . ,  B], . . . ,  Bf},  where  U,  is  a  unary 

predicate  letter,  B,  is  a  binary  predicate  letter.  We 
do  not  allow  Boolean  predicates,  function  symbols  and 
constants.  Assume  that  Ti , . . . ,  T,n  are  all  the  transi¬ 
tive  predicate  letters  of  a.  Let  Ad  =  {!,...  ,m,}. 

WA  reserve  the  letter  T  to  denote  transitive  predi¬ 
cates.  So,  when  the  predicate  letter  T  or  Ti  appears 
in  a  sentence,  then  the  sentence  includes  as  a  conjunct 
Trnn.s[T]  or  Tran.s[Tj],  even  if  this  is  not  written  ex- 
plicitely.  Additionally,  wo  allow  only  2-types  t{x,y) 
which  contain  the  formula  {x  ^  y)  and  we  consider 
structures  that  have  at  least  two  elements. 

Remark  .Although  we  do  not  allow  predicate  letters 
of  arity  greater  than  two,  it  is  possible  to  transform 
every  two-variahle  sentence  that  use  these  predicate 
letters  to  a  sentence  over  a  signature  containing  predi¬ 
cate  letters  of  arity  at  most  two  (cf  [13]).  Moreover,  the 
main  part  of  the  new  sentence  has  the  same  form  as  the 
original  one  and  every  conjunct  that  was  added  during 
the  transformation  is  a  GF'-sentence  with  binary  pred¬ 
icate  letters  only.  So,  with  respect  to  satisfiability,  the 
language  a  can  be  bounded  without  loss  of  generality. 
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In  this  section  we  assume  that  the  conjuncts  of  a 
[GF^+TG]-sentence  in  normal  form  have  the  following 
form  (cf.  Definition  3.1): 

(nl)  3x'ip{x), 

(n2)  Va:(a(a:)  ^  3y{/3{x,y)  A^{x,y))), 

(n3)  'ix'iy{a{x,y)  ^  %l){x,y)). 

5.1  Ramified  models  for  [GF^+TG]-sentences 

In  Section  4  we  proved  that  [GF^+TG]-sentences 
can  define  cliques.  In  this  section  we  show  that  the 
size  of  cliques  of  elements  connected  with  transitive  re¬ 
lations  can  be  bounded.  Using  this  observation,  we 
define  ramified  structures  that  have  cliques  of  expo¬ 
nential  size  (with  respect  to  the  signature),  and  that 
have  only  disjoint  transitive  paths  for  distinct  transi¬ 
tive  predicate  letters. 

Definition  5.1  (1)  A  2-type  t{x,y)  is  single¬ 
transitive  if  there  exists  exactly  one  transitive 
predicate  letter  T  such  that  t  |=  T(x,y)  V  T{y,x). 
In  this  case  we  also  say  that  t  is  T-single- 
transitive.  Additionally,  if  t  \=  T{x,y)  AT{y,x) 
then  t  is  symmetric,  otherwise,  t  is  oriented. 

(2)  A  2-type  t{x,y)  is  transitive-less  if  all  the  two- 
variable  formulas  of  t{x,y)  containing  transitive 
predicate  letters  are  negated. 

(3)  Let  v(x),w(y)  be  1-types.  A  negative  link  of  v,w, 
denoted  by  v,  w,  is  the  unique  2-type  containing 
v{x),  w{y)  and  no  atomic  two-variable  formula. 

Definition  5.2  Let  ‘A  be  a  a -structure,  B  be  a  binary 
predicate  letter  in  a  and  €  be  a  substructure  of 'A.  We 
say  that  £  is  a  D-clique  if  for  every  a,b  £  C  we  have 
{a,b)  e  B'^. 

Let  a  £  A.  We  denote  by  [a]^  the  maximal  B-clique 
containing  a,  provided  it  exists  and  B  is  a  transitive 
predicate  letter.  In  other  cases,  [o]|)  is  the  one-element 
structure  21  f {a}. 

Observe  that  the  structure  [a]D  need  not  be  a  clique 
even  in  the  case  when  J5  is  a  transitive  predicate  letter. 
This  happens  when  there  is  no  element  6  6  21  such  that 
(a,  6)  G 

Definition  5.3  Let  A  be  a  [GF^-fTGJ-senfence  in 
normal  form  over  a.  A  a -structure  fR  is  a  ramified 
model  for  A  if  the  following  conditions  hold: 

(1)  91  h  A, 


(2)  for  every  a,b  £  R  such  that  a  ^  b,  tp^{a,b)  is 
either  a  single-transitive  or  a  transitive-less  type, 

(3)  for  every  i,j  £  M  such  that  i  ^  j,  for  every 
a,b,c  £  R,  b  ^  a,c  ^  a,  if  b  £  [a]^,  and  c  £  [a]y. 

then  tp'^{b,c)  =  tp^  (b) ,  tp^ (c) , 

(4)  for  every  a  £  R,  for  every  T  £  a,  the  cardinality 
o/[a]y  is  bounded  by 

In  the  above  definition  we  have  introduced  one  of  the 
key  notions  for  this  paper.  We  have  the  following  the¬ 
orem. 

Theorem  5.4  Every  satisfiable  [GF^-pTGj-senfence 
A  in  normal  form  has  a  ramified  model. 

As  we  will  see  later,  a  ramified  model  is  tree- 
controlled,  what  means,  that  if  we  want  to  build  it,  we 
are  able  to  treat  the  model  as  a  tree,  i.e.  the  universe  is 
partitioned  into  levels  and  all  the  witnesses  of  elements 
lying  on  a  given  level  are  their  immediate  successors. 

Before  giving  the  proof  we  present  technical  lemmas 
and  introduce  some  notions  that  will  be  useful  later. 

Definition  5.5  Let  t  be  a  2-type  over  a  and  B  be  a 
binary  predicate  letter  in  a. 

A  B-slice  of  t,  denoted  by  i,  is  the  unique  2-type 
obtained  from  t  by  replacing  every  atomic  formula  of 
the  form  Ti{x,y)  and  Ti{y,x),  where  Ti  ^  B,  by  the 
formula  -^Ti{x,y)  and -^Ti{y,x),  respectively. 

Let  T  be  a  set  of  types.  We  denote  by  T  =  : 

v{x)  G  T}  U  {t,  ^  :  t{x,y)  £  T  and  B  £  a}  U  {Wpw  : 
v{x),w{x)  £  T}. 

Note,  that  if  B  is  not  a  transitive  predicate  letter, 
then  i,  B  is  a  transitive-less  type.  On  the  other  hand, 
when  considering  t^,  the  only  possible  appearance  of 
an  atomic  formula  containing  a  transitive  predicate  let¬ 
ter  is  T{x,y)  and/or  T{y,x),  provided  the  type  t  con¬ 
tains  T{x,y)  and/or  T{y,x). 

Definition  5.6  Let  A  be  a  [GF^-|-TG]-sentence  and 
let  T  be  a  set  of  1-types  and  2-types.  We  say  that  T  is 
A-acceptable  if 

(1)  T  is  closed  under  reductions, 

(2)  for  every  conjunct  of  A  of  the  form  (nl)  3x'tp{x) 
there  exists  a  1-type  s  £  T  such  that  s  |=  ip{x), 

(3)  for  every  1-type  s  £  T,  for  every  conjunct  of  A  of 
the  form  (n2)  \lx{a[x)  ->  3y{P{x,y)  A  il){x,y))), 
there  exists  t  £  T  such  that  t  extends  s  and  t  |= 
a{x)  {P{x,y)  A'ip{x,y)). 
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(4)  for  every  2-type  t  eT,  for  every  conjunct  of  A  of 
the  form  (n3)  \/x\fy{a{x,y)  ->■  V^(,x,  y)),  we  have 
t  {a{x,y)  V’G'c,?/))  A  {a{x,x)  ij>{x,x)), 

The  following  observation  is  an  easy  consequence  of 
the  above  definitions. 

Proposition  5.7  Let  A  be  a  [GF^+TG]-.sen<ence  in 
normal  form,,  ^  be  a  a-structure  and  7^'  be  the  set  of 
all  the  1-  and  2-types  realized  m  Ql. 

(1)  ^  \=  A  if  and  only  if  T'^  is  A-acceptable,  every 
element  of  21  has  a  witness  for  every  conjunct  of 
the  form  (n2)  and  every  T  E  a  has  a  transitively 
closed  interpretation  in  21. 

(2)  For  every  set  of  types  T,  T  is  A-acceptable  if  and 
only  if  T  is  A-accepto,ble. 

Definition  5.8  Let  A  be  a  [GF^+TG]-serilence  in 
normal  form,  let  be  a  model  for  A  and  let  p  E  A. 

We  say  that  a  a-structure  2  is  a  T-petal  of  [p]^  if 
there  exists  a  function  G  such  that  G  :  D  [p]^.  and 
the  following  conditions  hold: 

(pi)  card{D)  = 

(p2)  every  1-type  realized  in  [p]®  is  also  realized  in  2 
and  the  function  G  preserves  1 -types, 

(p3)  there  is  an  element  d  E  D  such  that  G{d)  —  p, 

(p4)  every  2-type  realized  in  T>  is  a  T -slice  of  some  type 
realized  in  [p]^, 

(p5)  for  every  a  E  D,  for  every  conjunct  'y  of  A  of  the 
form  (n2)yx{a{x)  ->  3y{/3{x,y) /\xl){x,y))},  where 
P  contains  T,  if  there  exists  a  witness  of  G{a)  for 
7  in  [73],®  then  there  exists  a  witness  of  a  for  7  i7i 

2. 

For  a  predimte  letter  B  that  is  not  transitive,  a 
structure  2  is  a  B-pctal  of  [p]^  if  D  =  [p]D. 

Lemma  5.9  Let  A  be.  a  [G¥^ -\-AG]- sentence  in  nor¬ 
mal  form,  let  'A  be  a  model  for  A  and  let  p  E  A. 

Then,  for  every  binary  predicate  letter  B,  there  ex¬ 
ists  a  B-pe.tal  o/[p];). 

Proof  (Sketch)  The  case  when  B  is  not  a  transitive 
predicate  letter  is  obvious. 

The  construction  of  the  required  P-j>etal  in  case 
when  P  is  a  transitive  predicate  letter  is  a  subtle  mod¬ 
ification  of  the  construction  given  in  [13]  in  the  proof 
that  every  first-order  two- variable  sentence  has  a  model 
of  exponential  size  with  respect  to  the  length  of  the 
sentence;  we  give  it  here  for  the  sake  of  comj)lctencss. 


Let  A  be  a  [GF’-l-TGj-sentence  in  normal  form  and 
let  T  be  a  transitive  isredicate  letter.  To  explain  the 
idea  of  the  proof  we  will  use  the  following  notions. 

If  €  is  a  cr-structure,  then  a  T -local  King  of  (£  is  an 
element  of  E  with  the  unique  1-type  realized  in  (£,  a  T- 
local  Noble  of  £  is  an  element  b  oi  E  which  is  necessary 
for  a  local  King  a  E  E  with  respect  to  a  conjunct  of 
the  form  (n2)  V.r(o(.r)  3y{i3{x,y)  A  V^(.t,  ?;))),  where 

P{x,y)  contains  T,  and  T -local  Plebeians  are  the  rest 
of  elements  of  E. 

Let  21  be  a  model  for  A  and  let  p  E  A.  The  set 
D  =  KUNuPiUP2UPi 

will  be  defined  as  the  universe  of  the  required  structure 
2  -  the  T-petal  of  [73]^..  The  above  sets  will  be  the  sets 
of  T-local  Kings,  Nobles  and  Plebeians  of  2;  they  will 
play  the  role  of  T-local  Kings,  Nobles  and  Plebeians 
of  [73]^.  Moreover,  the  set  Pi  {P,  and  P3)  consists  of 
elements  that  are  necessary  for  elements  of  N  {Pi,P2) 
with  respect  to  a  conjunct  of  the  form  (n2)  Vx(n(x)  -t 
3y(,8(x,  y)  A  f>(x.  y))),  where  P{x,  y)  contains  T.  ■ 

To  simplify  the  presentation  of  the  technical  proofs 
we  will  use  the  following  special  notation. 

Definition  5.10  7/21  and  23  are  a -.structures,  a  E  A, 
b  E  B  and  tp‘^\a)  =  tp'^{b),  then  vie  denote  by  2l(«)  o 
23(6)  the  partially  defined  structure  93  with  the  universe 
.4  U  P  \  {6}  such  that  for  every  c,dER 

•  if  c,d  E  .4  then  tp^{c,d)  =  tgF^{c,d), 

•  if  c,d  E  B,  c  ^  b,  d  ^  b,  then  tp'^^{c,d.)  — 
tp'^{c,d), 

•  if  c  E  B,  c.  ^  b,  then  tp^{a,c)  =  fp^'(6,  c), 

•  if  c  E  -4,  d  E  B ,  c  ^  a,  then  tp'^{c,d)  is  not 
defined. 

Now,  we  are  ready  to  give  the  proof  of  Theorem  5.4. 

Proof  of  Theor  cm  5.4. 

Let  A  be  a  [GF-+TG]“Senteiire  in  normal  f<3rm,  let 
21  1=  A.  let  T'*  be  the  set  of  1-  and  2- types  realized 
in  21  and  let  T  =  T'^‘.  By  Proposition  5.7,  tlu;  set  T  is 
A-acceptable. 

We  will  construct  a  ramified  model  of  A,  93,  in  which 
every  2-type  is  taken  from  the  set  T.  Every  element 
of  B  will  have  a  corresponding  element  in  .4  realizing 
the  same  1-type.  The  corresj3ond('uce  will  be  given  by 
a  function  H .  H  ■.  R  ^  A,  that  ])reserves  l-tyi)es  and 
witnesses,  i.e.  tp^{a)  =  tiP\H{n))  and  if  b  is  a  witness 
of  a  in  23  for  a  conjunct  of  A  of  the  form  (u2),  then 
H(b)  is  a  witness  of  PI  {a)  in  21  for  the  same  conjunct. 

The  structure  93  will  be  built  in  stages.  In  every 
stage  k  the  structure  23^._.i  constructed  in  stage  A:  -  1 
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will  be  extended  to  by  adding  new  elements  to  the 
A:-th  level  of  SH,  Lk ,  as  witnesses  of  all  the  elements  of 
-Lfc-i  for  the  conjuncts  of  the  form  (n2).  If  a  e  Lk-\ 
and  there  is  no  witness  6  6  fH*  of  a  for  a  conjunct  7  of 
the  form  (n2),  then  we  add  a  new  element  b  and  put 
H{b)  as  a  witness  of  if  (a)  for  7  in  *21.  The  element  b  is 
added  to  Lk  together  with  a  structure  D  -  a  B-petal  of 
the  clique  [H{b)]Q,  and  the  function  H  is  extended  for 
elements  of  D  by  the  function  G  given  by  Definition 
5.8.  Additionally,  to  ensure  that  the  same  cliques  are 
not  added  more  than  once  for  the  same  element,  when 
an  element  a  is  added  to  *H  together  with  its  D-clique, 
then  a  is  canceled  with  respect  to  B. 

So,  in  every  stage  k,  the  following  conditions  will 
hold: 

(ml)  ^Rk  t=  7,  for  every  conjunct  7  of  the  form  (nl), 

(m2)  every  2-type  realized  in  Dl*,  is  in  T, 

(m3)  for  every  a  6  Lk-i,  for  every  conjunct  7  of  the 
form  (n2),  there  is  a  witness  of  a  for  7  in  91*, 

(m4)  for  every  Tea,  the  interpretation  of  T  in  91*  is  . 
transitive, 

(m5)  for  every  a,b  e^tXk 

•  tp^'‘{a)  =  tp^{H{a)), 

•  if  6  is  a  witness  of  a  in  91*  for  7  of  the  form 
(n2),  then  H{b)  is  a  witness  of  H{a)  in  2t  for 
1, 

•  for  every  B  e  a,  if  91*  |=  B{a,b)  and  a^b 
then  (o,  b)  =  tp'^{H{a),H{b)),B, 

(m6)  for  every  a  E  Rk,  for  every  b  E  Lk,  for  every 
T  E  cr,  if  5  is  not  canceled  with  respect  to  T, 
then  (a,  b)  is  either  transitive-less  or  T-single- 
transitive  oriented, 

(m7)  for  every  i,j  E  M  such  that  i  j,  for  every 
a,b,c  E  Rk,b  ^  a,c^  a,\ib  E  [a]”''  and  c  E  [o]”' 
then  tp^>‘  {b,  c)  =  tp'^k  [b),tp'^i’  (b), 

(m8)  for  every  a  E  Rk,  for  every  T  E  a,  if  a  was  canceled 
with  respect  to  T  in  stage  i,  i  <  k,  then  [o]”*  is  a 
T-petal  of  [i?(a)]|  and  [a]y*  =  [a]^*. 

Observe  that  if  it  is  possible  to  construct  a  structure 
91  that  satisfies  the  conditions  (ml)  -(m4)  then,  by  part 
1  of  Proposition  5.7,  the  structure  91  will  be  a  model 
for  A  and  additionally,  by  (m2),  (m7)  and  (m8),  it  will 
be  a  ramified  model. 

The  following  procedure  builds  the  required  struc¬ 
ture  in  a  possibly  infinite  number  of  stages. 

Stage  0.  Let  Lq  =  =  0- 


1.  For  every  conjunct  7  G  A  of  the  form  (nl)  3xij{x), 

(a)  find  dy  E  A  such  that  21  ij){d~^), 

(b)  add  a  new  element  6  to  Lq, 

(c)  put  H{b)  =  dy  and  put  tp^°{b)  =  tp^{H{b)). 

2.  For  every  a,b  E  %),a  7^  b,  put  tp^°{a,b)  = 
tp‘^{a),tp’^{b). 

After  performing  stage  0  condition  (ml)  holds  since 
elements  of  Lo  were  chosen  in  an  appropriate  way.  Con- 
dition  (m2)  holds  since  the  negative  links  tp‘^{a),  tp^{b) 
are  in  T  by  part  2  of  Proposition  5.7.  Conditions  (m3) 
-  (m8)  are  obvious. 

Stage  k.  (k  >  0)  Put  91*  =  DXk-uLk  =  0. 

1.  For  every  a  E  L*_i,  for  every  transitive  predicate 
letter  T  E  a,  if  a  was  not  canceled  with  respect  to 
T,  then 

(a)  Creation  of  a  T -petal  of  a: 

Let  D  be  a  T-petal  of  [F(a)]|  and  let  G  be 

the  function  given  by  Definition  5.8, 

find  d  E  D  such  that  G{d)  =  H [a), 

put  91*  =  91*(o)  oD(d)  and  add  to  T*  all  the 

elements  of  D  except  d, 

for  every  b  E  D,  put  H[b)  =  G{b). 

(b)  Transitive  closure  for  the  T-petal  of  a: 

For  every  b  E  D  \  {0}  and  c  E  Rk  \  D, 
if  tp^‘‘{c,a)  ^\=  T{x,y)  \/ T{y^,x)  then  put 
tp^^-  (5,  c)  =  tp'^{H{b),H{c)),T. 

(c)  Other  types: 

For  every  bE  D  and  cE  Rk\D,ii  tp^>‘  (6,  c) 
is  not  defined,  then  put  tp^‘={b,c)  = 

tp^<-(6),tp^''(c)  and  cancel  b  with  respect  to 
T. 

2.  For  every  a  E  T*_i,  for  every  B  E  a,  for  every 
conjunct  7  G  A  of  the  form  (n2) :  'dx{a{x)  — > 
^y{P{x,y)  A  ip{x,y)))  such  that  p{x,y)  contains 
B,  if  there  is  no  witness  of  a  for  7  in  [a]^*’ ,  then 

(a)  Witness  of  a  for  7; 

Find  a  witness  dy  of  H{a)  for  7  in  21, 

add  a  new  element  b  to  T*  and  put  H{b)  — 

dy, 

put  tp^^ (a,  b)  =  tp^{H{a),H{b)),B. 

(b)  Transitive  closure  for  the  witness: 

If  B  is  a  transitive  predicate  letter,  say 
T,  then  for  every  c  G  Rk,  c  7^  a, 
c  /  6,  if  either  tp^>‘{c,a)  j=  T{x,y) 

and  tp^'=[a,b)  |=  T{x,y)  or  tp^'‘{c,a)  |= 
T{x,y)  and  tp^'^{a,b)  \=  T{x  y),  then  put 

tp'^'^  [b,  c)  =  tp^{H{b),H{c)),T. 
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(c)  Other  types: 

For  every  c  e  Rk,  if  tp'^‘^{b,c)  is  not  defined, 
then  put  tp'^’'  {b,c)  =  {b),tp^‘'{R}- 

Comments.  (lb.)  Note  that  tp'^‘-{b,c)  = 

tp'^{H{b),  H{c)),T  is  well-defined  since  H{b)  H{c). 
Towards  a  contradiction,  assume  H{b)  =  H(c).  Since 
b  £  D,  so,  by  condition  (m5),  H{b)  £  Then 

H{c)  £  [Hia)]r,  so  tp'^^ {H {c^ ,  H {a))  T{x,y)AT{y,x) 

and  then  tp'^\H{c),H{a)),T  is  T-single-transitive  sym¬ 
metric.  Since  a  is  not  canceled  then,  by  (m6),  (c,  a) 

is  single  transitive  oriented.  But  by  (m5),  n)  = 

tp'^{H{c),H{a)),T,  a  contradiction. 

(Ic.)  After  performing  this  step  condition  (m7) 
holds.  Additionally,  (m8)  holds,  since  in  steps  1(b) 
and  1(c)  only  transitive-less  or  T-single-transitive  ori¬ 
ented  types  are  put. 

Observe  that  after  performing  step  1  all  the  condi¬ 
tions  (ml)-(m8),  except  condition  (m3)  hold. 

(2a.)  Note  that  by  (m8)  ,  [a]!)  is  a  B-pctal  of 
[i7(a)]^.  So,  by  condition  4  of  definition  5.8,  d-,  ^ 
[H (a)];]  and  so  in  case  B  is  a  transitive  predicate  letter, 
tp'^{H{a),d-y^  ^  B{x,y)  AB{y,^x).  Since  H{a)  ^  H{b), 

so  the  type  tp'^ {H {a) ,  H {b)) ,  B  is  well  defined  and,  in 
case  B  is  a  transitive  predicate  letter,  it  is  a  B-single- 
transitive  oriented  type,  else  it  is  a  traiisitive-less  type. 

(2b.)  Note  that  tp'^\H{b),H{c)),T  is  well-defined 
since  H(b)  B(c).  Towards  a  contradiction,  as¬ 
sume  H{b)  =  H{c).  Assume,  as  one  of  two  sym¬ 
metric  cases,  tpP^^{c,a)  1=  T{x,xj)  and  tp^‘'{a,b)  |= 
T{x,y).  Then,  by  (m5) ,  tp'^^ {H{c) ,  H {a))  |=  T{x,y) 
and  tp^^{H{b),H{a))  |=  T{y,  x),  so,  t.p'^\H{b),  H(a))  |= 
T{x,y)  A  T{y,x\.  By  (m5)  ,  tp^^{b,a)  = 

tp^^(H{b),H{a)),T,  so  tp'^’-  (a,b)  is  T-single-transitive 
symmetric  which  is  a  contradiction  with  the  observa¬ 
tion  made  in  the  previous  step. 

After  performing  this  step  T  is  transitive  in  SHk, 
since  T  was  transitive  in  91a.  before  performing  step 
2(b)  and  the  pair  (b,  c)  is  in  the  transitive  closure  of  T 
if  and  only  if  the  pair  (a,  c)  is  in  the  transitive  closure. 

(2c.)  Observe  that  conditions  (m6)  and  (m8)  hold, 
since  in  steps  2(a)  -  2(c)  only  transitive-less  or  single¬ 
transitive  oriented  types  are  put. 

After  performing  step  2  it  is  ensured  that  condition 
(m3)  holds.  So,  by  inductive  hypothesis  and  by  the 
comments  given  in  steps  2(a)  -  2(c),  all  the  conditions 
(ml)  -  (m8)  hold.  ■ 

5.2  Flowers 

In  this  section  we  introduce  the  notion  of  a  flower 
which  contains  information  about  cliques  and  col¬ 


ors  of  elements  non-symmetrically  connected  with  a 
fixed  element  of  a  ramified  model.  We  observe  that 
the  set  of  flowers  realized  in  a  ramified  model  for  a 
[GF“-l-TG]-sentence  satisfies  several  properties  that  are 
collected  in  the  definition  of  a  carpet.  We  show  in  The¬ 
orem  5.13  that  these  properties  are  necessary  and  suf¬ 
ficient  for  satisfiability  of  a  [GF--l-TG]-sentence. 

Recall  that  m  is  the  number  of  transitive  predicate 
letters  in  rr  and  M  =  {1, . . . ,  m}. 

Definition  5.11  A  flower  F  is  a  triple  F  = 
(7/,  {Sf  }ieA/>  Unf}ieM),  where 

(1)  =  {pn, 

(2)  and  card{Df)  =  for 

every  i  £  M, 

(3)  for  every  i  £  M,  for  every  a,b  £  Df,a  ^  b,  the 
typctp^>  {a.b)  is  Ti -single- transitive, 

(4)  Inf  is  a  set  of  1-types,  for  every  i  £  M. 

The  element  p^  is  called  a  pistil  of  the  flower  F,  the 
structures  Df  are  petals  of  F . 

Note  that  it  follows  from  the  definition  that  the  in¬ 
tersection  of  two  distinct  petals  is  a  one-element  set 
containing  the  pistil.  We  write  tp{p^)  to  denote  the 
type  tp'^'ip^')  (=  tp'^Hp’"))- 

Definition  5.12  Let  A  be  a  [GF'^ +TG]-sentence  in 
normal  form,  let  T  be  a  set  of  types  mid  let  F  he  a  set 
of  flowers.  We  say  that  the  pair  (T,  F)  is  a  A-carpet 
if  the  following  conditions  hold: 

(cl)  T  is  A-acceptable  and  T  =  T, 

(c2)  for  every  F  £  F,  for  every  i  £  M,  we  have 

(a)  for  every  a,  b  £  Df  we  have  tp^'  {a,  b)  £  T, 

(b)  for  every  v  £  Inf  there  is  a  Ti-single- 
tran.sitive  oriented  2-type  t  £  T  such  that 
t  [=  tp{p^'){x)  A  v{y)  A  F{y,x), 

(c)  for  every  n  £  Df  there  exists  a  flower  W  G  F 
such  that  (Df,a}  =  (T)f  ,p''^'}  and  Inf'  - 
Inf, 

(c3)  for  every  conjunct  'y  of  A  of  the  form  (nl)  : 
3.t(o(,t)  a  ii’{x))  there  exists  a  flower  F  £  F  such 
that  tp{p^)  )=  a{x)  A  ijfx), 

(c4)  for  every  F  £  F,  for  every  i  £  M ,  for  every  con¬ 
junct  ')  of  A  of  the  form  (n2):  7  =  V.7:(o(3:)  — t 
3y{ft{x,y)  A  V^(.x,  77))),  if  there  is  no  witness  of  p^ 
for  7  in  any  petal  Df  then  there  exists  a  flower 
IF  G  F  and  a  2-type  t  £  T  such  that 
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(a)  t  \=  tp{p^){x)Mp{p'^){y)Al3{x,y)Ail){x,y), 

(b)  if  P  =  Ti{y,x)  then 

i.  t  is  Ti-single-transitive  oriented, 
a.  tp{p^)  £  Inf , 

Hi.  Inf  5  Inf'  U  {tp^'^  (d)  :  d  G 

(c)  ifp  —  Ti{x,y)  then 

i.  t  is  Ti-single-transitive  oriented, 
a.  tp{p^)  e  InY , 

Hi.  InY  5  Inf  U  {tp^'  (d)  :  d  G  Sf }, 

(d)  if  p  does  not  contain  a  transitive  predicate 
letter  then  t  is  transitive-less. 

Theorem  5.13  A  [GF^-GTG]- sentence  A  in  normal 
form  is  satisfiable  if  and  only  if  there  exists  a  A-carpet. 

5.3  Complexity 

Theorem  5.14  The  satisfiability  problem  for 
[GF'^+TG]  is  in  2EXPTIME. 

Proof  Let  E  be  a  [GF^+TG]-sentence  over  a  signature 
r  and  let  n  be  the  length  of  F.  Let  V  be  the  set  of 
[GF^4-TG]-sentences  in  normal  form  over  a  signature 
a  given  by  Lemma  3.2.  Then,  F  is  satisfiable  if  and  only 
if  there  exists  a  satisfiable  sentence  A  G  V.  Moreover, 
card{a)  =  0(n)  and  the  length  of  A  is  linear  with 
respect  to  n. 

By  Theorem  5.12,  a  sentence  A  €  X>  is  satisfiable  if 
and  only  if  there  exist  a  set  of  1-  and  2-types  T  and  a 
set  of  flowers  T  such  that  (T,  T)  is  a  A-carpet. 

Every  type  of  the  set  T  can  be  written  using  0(n) 
space  and  cardfT)  <  2“*”*°®".  Define  N{A)  as  the 
number  of  all  flowers.  Since  every  flower  can  be  written 
using  space,  N{A)  <  22“'"'“®"^  for  a  constant  c. 

The  following  alternating  exponentially  space- 
bounded  algorithm  is  a  satisfiability  test  for 
[GE^-I-TG]-  sentences. 

Input:  a  [GF^-t-TG]-sentence  F; 

Compute  the  set  P; 
guess  a  sentence  A  G  T>; 

Compute  N{A)-, 
guess  a  set  of  types  T ; 

if  T  does  not  satisfy  condition  (cl)  then  reject; 
universally  choose  a  conjunct  7  €  A  of  the  form 
(nl)  3x{a{x)  A  tp{x)); 
guess  a  1-type  t  G  T  and  a  flower  F; 
if  tp{p^)  ^  t  or  t'^  a{x)  A  i/:(x)  then  reject; 
for  y  =  1  to  N{A)  do 

universally  choose  the  Case: 

Case  1  Condition  (c2) 

universally  choose  i  G  M\ 


if  F  does  not  satisfy  (c2a)-(c2b)  then  reject; 
universally  choose  a  G  Df ; 
guess  a  flower  W; 

if  (Sf,a)  ^  {DY,P^)  or  InY  Inf 
then  reject; 

F:=  W; 

Case  2  Condition  (c4) 

universally  choose  i  G  M  and  a  conjunct  7 
of  A  of  the  form 

(n2)  V2;(a(a:)  ^y{P{x,  y)  A  ip{x,  y)))  ; 

if  there  is  no  6  G  Df  such  that 

Di  1=:  a{p^)  ->■  Pip^,b)  A  ip{p^ ,b)  then 
begin 

guess  a  flower  W  and  a  2-type  f  G  T; 
if  conditions  (c4a)  -  (c4d)  do  not  hold 
then  reject; 
end; 

F:=W; 

od; 

accept 

It  is  well  known  (see  [3])  that  for  all  functions  f{n)  > 
logn,  ASPACE(/(n))  =  Ucsn  TIME(2=^(")).  In  par¬ 
ticular  AEXPSPACE  =  2EXPTIME.  ■ 

6  The  general  case 

The  ideas  and  methods  used  for  [GF^-I-TG]  can  be 
extended  to  obtain  the  analogous  results  for  the  whole 
[GF-fTG]. 
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Abstract 

Closed  monadic  Ei,  as  proposed  in  [AFS98],  is  the  ex¬ 
istential  monadic  second  order  logic  where  alternation  be¬ 
tween  existential  monadic  second  order  quantifiers  and  first 
order  quantifiers  is  allowed.  Despite  some  effort  very  little 
is  known  about  the  expressive  power  of  this  logic  on  finite 
structures.  We  construct  a  tree  automaton  which  exactly 
characterizes  closed  monadic  Ei  on  the  Rabin  tree  and  give 
a  full  analysis  of  the  expressive  power  of  closed  monadic  Si 
in  this  context.  In  particular,  we  prove  that  the  hierarchy  in¬ 
side  closed  monadic  Si,  defined  by  the  number  of  alterna¬ 
tions  between  blocks  of  first  order  quantifiers  and  blocks  of 
existential  monadic  second  order  quantifiers  collapses,  on 
the  infinite  tree,  to  the  level  2. 


1  Introduction 

The  monadic  second  order  logic  (MSOL)  has  long  been 
studied  by  computer  scientists  in  at  least  two  contexts:  de¬ 
scriptive  complexity  on  finite  structures  (the  Fagin  context) 
and  theory  of  finite  automata  on  infinite  trees  (the  Rabin 
context).  Although  the  results  of  this  paper  concern  infinite 
trees,  rather  than  the  finite  structures,  the  class  considered 
in  this  paper  (the  closed  Si  hierarchy)  originates  from  the 
descriptive  complexity  area. 

1.1  Previous  works 

In  the  Fagin  context,  the  expressive  power  of  MSOL 
on  finite  structures  is  studied.  The  motivation  comes  from 
the  fact  that  a  property  of  finite  structures  is  in  the  class 
NP  if  and  only  if  it  is  expressible  by  an  existential  second 
order  sentence  ([F74]).  The  question  if  NP  equals  co-NP 
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is  in  this  way  reduced  to  the  one  if  Si,  the  set  of  proper¬ 
ties  expressible  by  existential  second  order  sentences  equals 
to  Ill,  the  set  of  properties  expressible  by  universal  sec¬ 
ond  order  sentences.  But  the  last  question  is  far  beyond 
the  techniques  we  have.  That  is  why,  as  suggested  by  Fa¬ 
gin  ([F75])  we  first  study  the  monadic  counterparts  of  the 
complexity  questions.  The  monadic  NP  is  the  set  of  prop¬ 
erties  expressible  by  a  formula  with  the  quantifier  prefix 
of  the  form  3*(v3)*  (where  3  and  V  are  monadic  sec¬ 
ond  order  quantifiers  while  3  and  v  are  first  order  quan¬ 
tifiers).  It  is  not  very  hard  to  prove  ([F75])  that  monadic 
NP  does  not  equal  monadic  co-NP:  graph  connectivity  be¬ 
longs  to  the  second  of  these  classes  but  not  to  the  first.  In 
last  decade  a  number  of  deep  techniques  was  developed  to 
show  non-expressibility  results:  in  [S94]  Schwentick  devel¬ 
oped  sophisticated  strategies  for  Ehrenfeucht-Fraisse  games 
to  prove  that  graph  connectivity  is  not  in  monadic  NP  even 
in  the  presence  of  a  built-in  order.  In  [AF90]  Ajtai  and  Fa¬ 
gin  used  complicated  probabilistic  argument  to  show  that 
reachability  in  directed  graphs  is  not  in  monadic  NP  (also 
[AF97]).  Finally,  Matz  and  Thomas  ([MT97])  constructed 
an  automata  theory  based  proof  of  the  theorem  that  monadic 
hierarchy,  the  counterpart  of  Stockmeyer  polynomial  hier¬ 
archy,  is  strict.  The  last  means  that  for  every  natural  n  there 
is  a  property  of  finite  structures  expressible  by  a  formula 
with  quantifier  prefix  of  the  form  (  3*  V*)”+^(3v)*  but  not 
by  one  with  (  3*  V*)"(3v)*.  Their  proof,  as  we  said,  is 
automata  theory  based.  Let  us  sketch  it  here.  The  struc¬ 
tures  they  consider  are  colored  rectangular  grids.  They  treat 
such  a  grid  as  a  word  of  columns.  So  each  property  of  grids 
can  also  be  viewed  as  set  of  words.  For  each  formula  f  of 
monadic  second  order  logic  they  construct  a  finite  word  au¬ 
tomaton  which  recognizes  exactly  the  set  of  colored 
grids  in  which  is  valid.  It  is  easy  to  construct  A{  3(j))-.  the 
set  of  states  remains  the  same  as  in  A{(j))  and  the  transition 
function  becomes  ’’more  nondeterministic”.  But  it  turns  out 
that  A{  ^<p)  can  only  be  constructed  as  A(-'  3-i(/)),  which 
requires  computing  a  complement  of  the  original  automa- 
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ton  (via  dcterminisation)  and  leads  to  exponential  explo¬ 
sion  of  the  number  of  states.  Then  they  use  the  number 
of  states  argument,  and  the  fact  that  they  are  considering  2- 
dimensional  grids  rather  than  words,  to  get  the  separation 
result. 

It  could  appear  at  this  stage  that  we  were  able  to  answer 
every  interesting  question  about  the  Fagin  world.  But  in 
[AFS98],[AFS00]  Ajtai,  Fagin  and  Stockmeyer  noticed  that 
monadic  NP  is  not  the  most  general  monadic  subclass  of 
NP:  they  defined  closed  monadic  NP  as  the  class  of  prop¬ 
erties  definable  by  a  formula  with  the  prefix  of  the  form 
(  3*(3v)*)*.  In  their  paper  they  prove  that  such  possibility 
of  alternation  between  first  order  quantifiers  and  monadic 
second  order  existential  quantifiers  increases  the  expressive 
power  of  the  language.  Closed  monadic  NP  docs  not  share 
the  obvious  pathologies  of  monadic  NP:  connectivity  and 
directed  reachability  arc  definable  now,  the  first  of  them  by 
a  prefix  of  the  form  vv  3*'(v3)*,  the  second  by  3v3(v3)*. 
To  show  that  the  increase  of  expressive  power  is  indeed 
substantial  the  authors  define  a  property  V2,  definable  by 
3*(3v)*  3*(3v)*  but  (and  this  proof  is  the  main  techni¬ 
cal  contribution  of  [AFS98])  not  by  any  boolean  combina¬ 
tion  of  formulae  with  the  prefix  of  the  form  (v3)*  3*(v3)*. 
Some  natural  questions  are  stated  in  the  paper:  is  closed 
monadic  NP  equal  to  closed  monadic  co-NP  ?  Docs  there 
exist  any  property  in  monadic  hierarchy  but  not  in  closed 
monadic  NP  ?  Another  very  natural  question  one  can  ask 
here  is  if  the  hierarchy  inside  closed  monadic  NP  defined 
by  the  number  of  blocks  of  monadic  second  order  quanti¬ 
fiers  is  strict  (the  n-th  level  of  the  hierarchy  are  here  the 
properties  definable  by  (  3*(3v)*)'')- 

All  the  above  questions  seem  to  be  hard.  It  is  amazing, 
but  despite  some  effort  ([AFS00],[M99],[JM011)  we  arc  not 
even  able  to  show  that  there  is  any  property  in  monadic  hi¬ 
erarchy  but  not  on  level  2  of  the  hierarchy  inside  closed 
monadic  NP,  (i.c.  not  definable  by  a  formula  with  the  pre¬ 
fix  of  the  form  3*(3v)*  3’'(3v)*).  One  could  think  that  a 
positive  answer  to  the  last  questions  should  follow  from  the 
Matz-Thomas  technique,  but  this  is  not  the  ca.se:  it  turns 
out  that  the  construction  of  the  finite  automaton  for  V(/r  leads 
to  the  same  kind  of  exponential  state  explosion  as  the  con¬ 
struction  of  A{  V(/;).  The  property  expressible  with  a  prefix 
(  3*  V*)"  +  '(3v)*  but  not  with  (  3*  V*)"(3v)*  constructed 
with  the  Matz-Thomas  method  is  in  fact  exprc.ssiblc  also 
by  a  formula  with  the  prefix  3*(3*v*)''  +  ^  3*(3v)*,  which 
means  that  it  is  on  the  second  level  of  the  hierarchy  inside 
closed  monadic  NP.  It  seems  possible  that  understanding  the 
difference  between  the  increase  of  the  complexity  of  a  rec¬ 
ognizable  language  induced  by  first  order  universal  quantifi¬ 
cation  and  by  monadic  second  order  universal  quantification 
may  lead  to  the  answer  to  some  of  the  open  questions  from 
[AFS981.  In  this  paper  we  show  that  at  least  in  the  Rabin 
context  all  those  questions  can  be  answered  in  this  way. 


In  the  Rabin  context,  one  considers  finite  automata  and 
MSOL  on  infinite  trees.  The  subject  was  pioneered  by 
Rabin  in  his  seminal  paper  [R69],  where  he  proves  that 
MSOL  over  the  infinite  binary  tree  (also  known  as  S2S,  the 
monadic  second  order  theory  of  two  successors)  collapses 
to  E,3  and  is  decidable.  This  deep  result  has  been  later  used 
as  a  tool  to  solve  many  other  decision  problems  by  reduc¬ 
tion  to  525. 

The  main  tool  of  Rabin’s  proof  are  what  we  call  today 
Rabin  automata,  which  characterize  MSOL  on  Rabin  trees. 
Rabin’s  proof  is  difficult  to  understand,  and  in  particular  the 
proof  that  Rabin  automata  are  closed  under  complement  is 
very  complicated;  so,  many  papers  have  been  devoted  to  ex¬ 
plain  what  is  really  going  on  in  the  complementation  proof. 
Many  sorts  of  tree  automata  have  been  defined  in  order  to 
simplify  the  construction  including  Muller  automata  (orig¬ 
inally  considered  for  infinite  words  [M63]),  and  Streett  au¬ 
tomata.  [S82].  But  the  real  progress  came  only  as  late  as 
in  [GH82]  with  the  introduction  of  games  on  trees.  Games 
correspond  to  automata  and  they  are  easy  to  complement 
(by  detcrminacy).  A  related  concept  are  alternating  tree  au¬ 
tomata,  which  generalize  usual,  nondcterministic  automata 
[MS87]:  an  accepting  run  of  such  an  automaton  looks  much 
like  a  winning  strategy  in  a  game.  After  thirty  years  of  stud¬ 
ies  there  is  still  research  underway  which  gives  us  better  un¬ 
derstanding  of  tree  automata,  for  instance  in  [A94]  a  fully 
“algebraic”  proof  of  the  complementation  lemma  is  given, 
in  [Z98]  the  author  proposes  a  proof  of  the  lemma  via  infi¬ 
nite  games  on  graphs;  and  [EJ99],  where  the  complexity  of 
the  satisfiability  problem  on  tree  automata  is  investigated. 

A  very  natural  class  of  automata  traditionally  studied  in 
this  context  arc  Biichi  automata,  originally  introduced  in 
[B60]  for  infinite  words.  The  expressive  power  of  automata 
of  this  class  on  the  infinite  tree  is  extensively  studied  in  Ra¬ 
bin’s  paper  [R70].  Among  other  things,  Rabin  shows  that 
Biichi  definable  sets  form  a  proper  subclass  of  MSOL  de¬ 
finable  sets,  and  that  they  have  a  number  of  closure  proper¬ 
ties  (including  closure  under  weak  universal  quantification). 
One  of  the  closure  properties  proved  by  Rabin  (Theorem  9 
in  [R70]  )  gave  us  some  inspiration  for  the  construction  per¬ 
formed  in  the  present  paper.  Biichi  automata,  despite  of 
their  simple  definition  which  makes  them  a  much  nicer  ob¬ 
ject  of  studies  than  Rabin  automata,  arc  also  not  fully  under¬ 
stood  yet.  For  example,  only  recently  in  [LOl],  it  has  been 
shown  that  Biichi  automata  express  exactly  the  properties  in 
Y.2  ('n  ihc  binary  tree. 

1.2  Our  contribution 

We  give  complete  analysis  of  the  structure  of  closed 
monadic  NP  (which  here  should  be  rather  called  closed 
monadic  Ei)  in  the  world  of  Rabin.  Our  original  goal  was 
to  look  for  techniques  that  would  establish  the  strictness  of 
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the  hierarchy  inside  closed  monadic  Si  in  this  context. 

Our  first  result  was  the  one  from  Appendix  3  that  the 
property  EGFP  (the  last  is  a  CTL*  formula  saying  that  there 
is  a  path  on  which  the  predicate  P  occurs  infinitely  many 
times)  is  expressible  by  a  formula  with  the  prefix  of  the  form 
3*(3v)*  3’*(3v)*  but  not  by  a  Si  formula.  But  it  turns  out 
that  EGFP  is  even  harder:  as  we  prove  in  Section  2.4  it 
is  not  expressible  by  any  boolean  combination  of  formulae 
with  the  prefix  of  the  form  (vs)*  3*  (vs)*  and  in  this  way 
it  is  a  counterpart,  in  the  Rabin  world,  of  the  property  V2 
from  [AFS98]. 

Then  we  tried  different  kinds  of  nesting  of  CTL*  formu¬ 
lae  to  construct  properties  in  closed  monadic  Si  but  not  on 
its  second  level.  All  the  attempts  failed:  to  our  great  sur¬ 
prise  the  hierarchy  inside  closed  monadic  Si  collapses  in 
the  Rabin  world.  As  we  prove  in  Section  3  it  collapses  to 
level  2,  the  same  mysterious  level  2  that  we  are  not  able  to 
move  beyond  in  the  Fagin  context.  Our  proof  technique  is 
based  on  automata.  We  define  a  kind  of  a  finite  tree  automa¬ 
ton  which  we  call  search  automaton  (to  guess  how  such  an 
automaton  should  be  defined  was  the  most  difficult  part  of 
our  research).  Search  automaton  is  a  kind  of  Biichi  automa¬ 
ton  with  additional  simple  requirements  on  accepting  con¬ 
ditions.  The  class  of  languages  recognizable  by  search  au¬ 
tomata  contains  Ei  and  is  closed  under  existential  monadic 
second  order  quantification  (this  is  not  hard  to  prove)  and 
under  universal  first  order  quantification.  But  the  class  is 
not  closed  under  universal  monadic  second  order  quantifi¬ 
cation!  In  Section  2.3  we  show  that  the  property  AFP  (on 
every  path  there  occurs  P),  clearly  expressible  by  a  formula 
of  monadic  second  order  logic  with  the  quantifier  prefix  of 
the  form  V(v3)*  is  not  recognizable  by  any  search  automa¬ 
ton  and  thus  not  in  closed  monadic  Si.  This  means  that  our 
search  automata,  unlike  Rabin  automata,  and  unlike  finite 
automata  on  words  are  sensitive  to  the  difference  between 
first  and  monadic  second  order  universal  quantification. 

In  Section  2.1  we  show  that  if  a  property  is  recognizable 
by  a  search  automaton  then  it  is  expressible  by  a  Si  for¬ 
mula  using  an  additional  predicate  <,  where  the  meaning 
of  X  <  y  is  X  is  a  prefix  ofy.  The  last  formula,  for  fixed  x 
and  y  can  be  defined  by  additional  existentially  quantified 
monadic  relation,  and  as  a  result  we  get  a  formula  with  the 
prefix  of  the  form  3*(3v)*  3*(3v)*. 

1.3  Remark  on  Si (TC) 

There  is  another  unexpected  link  between  our  two 
worlds:  not  only,  as  we  said  in  Subsection  1.1,  no  monadic 
property  in  the  Fagin  world  is  known  which  could  be  proved 
not  to  be  expressible  on  the  level  two  of  the  hierarchy  in¬ 
side  closed  monadic  NR  In  fact  we  do  not  even  know  a 


monadic  property  provably  not  in  Si  (TC)'  where  TC  is 
the  simplest  possible  version  of  the  transitive  closure  op¬ 
erator:  TC{4>,x,y),  where  (/>  is  a  first  order  formula  with 
two  free  variables,  means  that  there  is  a  finite  path  x  - 
xi,X2, . .  .Xfc  =  y  such  that  (f){xi,Xi  +  1)  holds  for  each  i. 
The  formula  (f)  is  generalized  graph  edge,  and  it  is  as  hard 
to  define  the  TC  operator  as  to  define  graph  reachability. 
This  means  that  all  properties  in  Si(rC')  are,  in  the  Fa¬ 
gin  world,  definable  by  a  formula  with  a  prefix  of  the  form 
(  3*(3v)*)^.  Could  it  be  possible  that  closed  monadic  NP 
in  the  Fagin  world  is  exactly  Si(rC')?  It  follows  from  our 
results  that  the  classes  are  equal  in  the  Rabin  world. 

2  Technical  part,  the  easy  fragment 

We  consider  MSOL  over  trees.  By  a  tree  we  mean  a 
structure  whose  domain  is  {0, 1}*.  The  signature  consists 
of  two  functions  left  son  and  right  son,  mapping  each  w  to 
wO  and  wl  respectively,  and  of  some  finite  set  V  of  monadic 
predicates.  Sometimes  (when  explicitly  mentioned)  the  sig¬ 
nature  will  also  contain  the  prefix  ordering  relation  <,  with 
the  natural  meaning.  When  talking  about  automata  we  of¬ 
ten  think  that  a  tree  is  rather  a  function  from  {0, 1}*  to  some 
alphabet  X  than  a  structure.  Since  X  can  be  viewed  as  the 
powerset  of  V  the  two  definitions  are  equivalent.  A  path  in  a 
tree  is  an  infinite  sequence  xi,  X2  . . .  of  words  from  {0, 1}* 
such  that  each  Xj+i  equals  to  XjO  or  to  x^l. 

2.1  Search  automata 

A  search  automaton  over  an  alphabet  X  is  a  tuple 
A  =  (Q.Qo,-?^,  ••••?).■})  where  Q  is  a  finite  set 

of  states,  Qo  C  Q  and  is  a  finite  set  of  rules  which  are 
constructs  of  the  form  {q,  a)  — >  {qo,qi),  with  q,qo,qi  €  Q 
and  a  €  X .  Fi  are  subsets  of  Q  and  satisfy  the  following 
condition: 

(L)  For  any  rule  {q,  a)  {qo,  q{)  from  R  and  for  any 
i  .  I  <i  <  k,  if  q  f  Fi,  then  there  exists  d  e  {0, 1} 
such  that  q^  G  Fj. 

For  a  tree  T  with  alphabet  X  a  run  of  the  automaton  A 
on  T  is  such  a  function  p  :  {0, 1}*  -+  Q  that  for  each 
w  €  {0,1}*  {p{w),T{w))  {p{w0) ,  p{wl))  is  a  rule 

from  R.  A  run  p  is  initial  if  p(e)  G  Qo  and  is  accepting  if: 

(C)  for  any  path  Wi,W2,. .  ■  and  any  i,  p{wj)  G  Pi 
for  infinitely  many  numbers  j. 

We  say  that  A  recognizes  the  tree  T  if  there  exists  an  initial 
accepting  run  of  A  on  T. 

'The  properties  constructed  by  Matz-Thomas  method  are  also  in  this 
class 
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Lemma  2.1  If  A  is  a  search  automaton,  then  the  set  of  trees 
recognized  by  A  is  definable  by  a  formula  in  Si  (<). 

Proof:  In  presence  of  the  condition  (L),  it  is  easy  to 
see  that  (C)  is  equivalent  to  the  first  order  condition: 

(C’)  For  any  i  and  any  u  e  {0, 1}*  such  that  p{u)  ^  F, 
there  exists  v  >  u  such  that  p{'v0)  €  F,,  p{vl)  e  F, 
and  Vw  e  {0, 1}*,  (u  <  w  <  u  — >  p(u')  ^  F,. 

In  order  to  prove  this  equivalence  consider,  for  given  i 
and  for  given  u  e  {0,1}*  such  that  p{u)  ^  F,,  the  set 
A  =  (u)  G  {0, 1}*  :  u  <  w  A  p{w)  ^  F,  AVu  <  V  < 
w  p{v)  f:  F,  }.  By  the  condition  (L)  the  set  yl  is  a  path 
(finite  or  not).  This  path  is  finite  if  and  only  if  it  contains 
a  word  v  such  that  p{vQ)  G  F,  and  p[v\)  G  F,.  And  the 
condition  (C)  means  that  for  every  u  and  every  i  the  set  A 
is  finite.  ■ 

2.2  Main  result 

Theorem  2.2  Consider  the  following  six  classes  of  proper¬ 
ties  of  trees: 

(i)  Closed  monadic  Hi  (i.e.  the  set  of  properties  definable 
by  a  formula  ofMSOL  with  the  quantifier  prefix  of  the 
^r/«(3*(v3)*)*  j. 

(ii)  Second  level  of  closed  monadic  Hi  (i.e.  the  set  of  prop¬ 
erties  definable  by  a  formula  ofMSOL  with  the  quan¬ 
tifier  prefix  of  the  form  3*(v3)*  3*(v3)*  ). 

(Hi)  Monadic  Si(<)  (i.e.  the  set  of  properties  definable 
with  the  use  of  prefix  ordering  relation  <  by  a  for¬ 
mula  of  MSOL  with  the  quantifier  prefix  of  the  form 

3*(v3)*j. 

( iv)  The  properties  recognizable  by  search  automata. 

(v)  Monadic  Hi  (i.e.  the  set  of  properties  definable  by  a 
formula  ofMSOL  with  the  quantifier  prefix  of  the  form 

V*(V3)*  ). 

(vi)  First  order  closure  of  Hi  (i.e.  the  set  of  properties  de- 
finable  by  a  boolean  combination  of  formulae  ofMSOL 
with  the  quantifier  prefix  of  the  form  (va)*  3*(v3)* 

Then:  (i)=(ii)=(iii)=(iv)  and  (v)f  (iv)  and  (vi)  ^  (ii). 

Proof:  (v)  f  (iv)  is  proved  in  Section  2.3,  (vi)^^  (ii)  is 
proved  in  Section  2.4,  (ii)C  (i)  is  obvious,  also  (iii)C  (ii)  is 
easy  to  show,  (iv)C  (iii)  was  proved  in  the  previous  Section. 
For  the  proof  of  (i)C  (iv)  see  Section  3  ■ 

Let  us  remark  that  it  follows  from  Theorem  2.2  that 
closed  monadic  Ei  (<)  on  the  Rabin  tree  is  exactly  monadic 
Si(<),  the  possibility  of  alternating  first  and  second  order 
quantifiers  docs  not  give  any  additional  power  here. 


2.3  AFP  is  not  in  closed  monadic  El 

Lemma  2.3  Let  P  be  a  monadic  predicate.  The  property 
that  on  evety  infinite  path  from  the  root  there  is  a  P  (defined 
by  the  CTL  formula  AFP),  is  definable  by  a  formula  with 
quantifier  prefix  of  the  form  V*(3v)*  (is  in  monadic  nj 
but  is  not  recognizcdrle  by  a  search  automaton. 

Proof:  Suppose  A  were  a  search  automaton  for  AFP, 
over  the  alphabet  {F. -iF),  with  a  set  Q  of  states  and  k 
accepting  conditions  Fi ,...,  F/,..  Let  /  =  IQI-  Then  con¬ 
sider  a  natural  number  m  which  is  sufficiently  large,  say 
in  =  2(/  -t-  1)A-  -I-  2.  Let  M  be  the  tree  where  F  is  inter¬ 
preted  as  the  set  of  all  words  of  length  m.  Obviously,  M 
has  the  property  AFP.  Let  p  be  an  accepting  run  of  A  on  M. 
Since  A  is  a  search  automaton,  there  exists  a  sequence  of 
(/  -f  1)A'  words: 

U’1,1  <  .  .  .  <  Wi,k  <  . ..  <  Wl  +  i,i  <  ...  <  Wi+ut, 

such  that  for  each  pair  i.j  it  holds  that  tCij  has  length  less 
than  in,  that  p{m,.j)  €  Fj,  and  that  the  distance  between 
each  two  consecutive  elements  of  the  sequence  is  1  or  2. 
Now,  we  find  i  <  i'  <  I  -y  1  such  that  p{w,.i)  =  /?(«’, m) 
and  apply  a  “putnping"  argument:  let  M'  be  a  tree  with 
predicate  F  defined  as: 

(i)  If  ((’,.1  is  not  a  prefix  of  u!  then  in  €  F  holds  in  M'  if 
and  only  if  it  holds  in  .M. 

(ii)  Let  !j  be  such  that  =  ((','.i.  If  w  is  of  the  form 
t/',,i,iy*.r  where  i/  is  not  a  prefix  of  .r  then  m  G  F  holds 
in  M'  if  and  only  if  u',.i.r  G  F  holds  in  M. 

In  an  analogous  way  define  the  run  p'  of  A  on  M'.  Then 
M'  docs  not  have  the  property  AFP:  words  being  prefixes 
of  some  word  of  the  form  y*  form  an  infinite  path  with¬ 
out  F.  But  p'  is  an  accepting  run  of  A  on  M'.  ■ 

2.4  Monadic  Ei  is  much  less  than  closed  monadic 

S, 

Let  us  consider  the  following  property  of  infinite  binary 
trees  colored  with  a  monadic  relation  F: 

(*)  there  is  an  infinite  sequence  .r  i ,  x^.  .t.i  . . .  of  vertices 
such  that  .T I  <  ,r,+  i  and  P{x,)  hold  for  each  i  . 

In  the  notation  of  the  temporal  logic  CTL*  the  property 
(*)  can  be  expressed  as  EGFP. 

It  is  easy  to  see  that  (*)  is  expressible  in  monadic  E|  (<). 
Our  original  elementary  proof  of  the  fact  that  EGFP  is  not  in 
monadic  Ei  can  be  found  in  the  Appendix.  But  it  turns  out 
that  with  the  use  of  a  new  result  from  [LOl]  we  can  easily 
have  something  more: 
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Theorem  2.4  Property  (*)  is  not  expressible  by  any 
boolean  combination  of  formulae  with  the  prefix  of  the  form 
(V3)*  3*(v3)*. 

Proof:  It  is  easy  to  see  that  if  some  property  is  express¬ 
ible  by  any  boolean  combination  of  formulae  with  the  pre¬ 
fix  of  the  form  (vs)*  3*  (vs)*  then  it  is  also  expressible  by  a 
formula  with  the  prefix  of  the  form  (vs)*  3*  V*(v3)*.  It  is 
proved  in  [LOl]  that  if  a  property  is  in  monadic  E2,  that  is 
expressible  by  a  formula  with  the  prefix  3*  V*(v3)*,  then 
it  is  recognizable  by  a  Biichi  automaton.  But  the  class  of 
properties  recognizable  by  Biichi  automata  is  closed  under 
universal  first  order  quantification  ([R70])  and  under  exis¬ 
tential  first  order  quantification.  So  if  a  property  is  express¬ 
ible  by  a  boolean  combination  of  formulae  with  the  prefix 
of  the  form  (vs)*  3*  (vs)*  then  it  is  recognizable  by  a  Biichi 
automaton. 

If  property  (*)  were  expressible  by  a  formula  like  in  the 
theorem  then  its  complement: 

(**)  On  each  path  there  are  only  finitely  many  P 
would  also  be  expressible  in  this  class,  and  thus  would  be 
Biichi.  But  the  last  is  not  the  case  as  proved  in  [R70].  ■ 

3  Technical  part,  the  harder  fragment 

In  this  technical  section  we  prove  that  search  automata 
recognize  all  the  properties  in  closed  monadic  Ei.  We  leave 
it  for  the  reader  as  an  easy  exercise  to  prove  that  they  recog¬ 
nize  all  the  properties  in  monadic  Ei,  and  that  the  class  of 
recognizable  properties  is  closed  under  existential  quantifi¬ 
cation,  first  order  and  monadic  second  order.  What  remains 
to  be  proved  is; 

Lemma  3.1  Let  A  be  a  search  automaton,  over  some  al¬ 
phabet  E  X  {x,x].  For  a  given  tree  T  over  E  and  for 
V  G  {0,1}*  define  T'’  as  the  tree  over  E  x  (x,  x},  with 
T"(y)  =  (T{v),x)  ifv  =  y  andT^iy)  =  {T{v),x)  oth¬ 
erwise.  Then  there  exists  a  search  automaton  s/A  over  the 
alphabet  E  such  that  'iA  accepts  a  tree  T  if  and  only  if  A 
accepts  every  forv  G  {0, 1}*. 

From  now  on  ^  =  (Q,  Qo,  i?,  {-Ft,  fz, . . .  Ffc})  is  a 
fixed  search  automaton. 

3.1  Multiruns 

Let  us  assume  that  the  tree  T  over  E  is  such  that  each  T" 
is  recognized  by  A.  Then  for  each  v  there  is  an  initial  ac¬ 
cepting  run  on  T"'.  For  any  v  and  w  in  {0, 1}*  such  that 
w^v,  the  subtree  of  defined  by  Tf,{u)  =  T^{wu) 
is  over  the  alphabet  E  x  {x}  (more  precisely,  Tf,{u)  = 
{T{wu),x)),  and  p'"  induces  an  accepting  run  of  A  on 
Tf,  defined  by  pl,{u)  =  p^{wu). 


The  initial  accepting  runs  of  v^  on  T  must  allow  us  to 
retrieve  a  family  (/3*')i,6{o,i}*  •  In  particular,  they  must  con¬ 
tain  in  an  encoded  form,  a  sufficiently  large  set  of  runs  p}}, 
called  multirun. 

Definition  3.2  For  a  tree  T  over  E  we  define  T  as  the  tree 
over  E  x  {x}  with  T{w)  =  {T{w),x).  IfT  is  a  tree  and 
u  G  {0, 1}*,  then  we  define  Tu  as  the  "subtree  ofT  rooted 
in  u”:  Tu{y)  =  T{uy)for  each  y. 

Definition  3.3  Let  T  be  a  tree  over  E.  A  multirun  of  the 
automaton  A  onT  is  a  partial  function  whose  arguments 
are  pairs  {w,q)  (where  w  G  {0, 1}*  and  q  G  Q),  such  that 
for  each  element  {w,  q)  of  its  domain  '^{w,  q)  is  a  run  of  A 
on  Ty,,  with  the  state  q  in  the  root  w  ofTy,.  A  multirun  is 
accepting  if  all  the  runs  ^(tu,  q)  are  accepting. 

For  convenience,  instead  of  considering  ^(u;,  q),  which 
is  a  total  mapping,  we  consider  the  partial  mapping 
of  domain  rufO,  1}*,  denoted  by  '^w,q  and  defined  by 
'^W,q{wu)  =  '^(w,  q)(u),  so  that  if  ^'(ru,  q)  is  p"  then 
(E)  ^u,,g(tcu)  =  ^(tii,  q)(u)  =  p^(u)  =  p^(wu). 

Multiruns  are  a  way  of  remembering  the  whole  interest¬ 
ing  knowledge  about  possible  accepting  runs  of  A  on  such 
subtrees  of  T  x  {x,  x}  which  do  not  contain  the  (universally 
quantified)  variable  x.  This  interesting  information  is  where 
we  can  start  such  a  run  and  in  which  state  we  can  start  it: 

Definition  3.4  Two  multiruns  on  T  are  equivalent  if  they 
have  the  same  domain. 

We  want  to  store  the  information  as  a  run  of  our  new 
automaton  vzl.  But  vzl  can  only  store  finite  piece  of  infor¬ 
mation  in  each  of  the  nodes  of  {0, 1}*.  This  motivates: 

Definition  3.5  A  multirun  is  uniform  if  for  each 
y,z  G  {0, 1}*  52  €  Q  the  following  im¬ 

plication  holds: 

{wi  <y  <  z)a{w2  <  y)A'^wi,qAy)  =  ^u.'2,92(y)  implies 

^wi,qi{z)  —  ^  W2,q2{z) 

So  a  multirun  is  uniform,  if  each  time  when  two  of  its 
runs  agree  on  some  node  y  they  remain  equal  on  all  the 
successors  of  y. 

Of  course  not  every  multirun  is  uniform,  but  it  turns  out 
that; 

Lemma  3.6  For  every  accepting  multirun  ^  on  T  there  ex¬ 
ists  an  equivalent  accepting  multirun  which  is  uniform. 

The  tool  we  need  to  prove  Lemma  3.6  is: 

Lemma  3.7  Let  T  be  a  tree  over  E  and  let  p  be  an  ac¬ 
cepting  run  of  A  on  some  fy,.  Let  B  be  an  antichain  (with 
respect  to  the  prefix  ordering  <)  of  nodes  ofTyj,  and  for 
each  y  £  B  let  py  be  an  accepting  run  of  A  on  some  sub¬ 
tree  ofT  containing  fy.  Suppose  for  each  y  £  B  it  holds 
that  Py{y)  =  p{y).  Then  the  function  q  defined  as: 
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(i)  e{z)  =  Py{z)  ify  e  B  and  z  >  y, 

( ii)  q{z)  =  p{z)  if  z  €  T„,  but  z  ^  Ty  for  any  y  €  B, 

is  an  accepting  run  of  A  on  Tw  ■ 

Now,  let  be  an  accepting  multirun.  Let  -<  be  any  fixed 
total  order  on  Q.  We  define  the  following  ordering  IZ  on 
(iom('I'): 

(i)  (u),g)  C  if  |w|(|^ru'|, 

(ii)  (w.q)  C  {w',q')  if  |u;|  =;  |u/|  and  u)  is  smaller  than 
w'  in  the  lexicographic  ordering  of  words, 

(iii)  {w,q)  (Z  {w,q')  if  q  -<  q' . 

Obviously,  Z  is  a  total  order  and  if  dom{'i)  is  infinite 
then  the  type  of  C  is  lo.  Now,  we  define  a  multirun  by 
induction  on  Z.  Suppose,  for  some  pair  {w,q)  £  dom{'it) 
the  runs  are  already  defined  for  all  pairs  {w'q')  Z 

{w,q).  Let  V  be  the  set  of  such  nodes  2  of  T,,,  that  there 
exists  {w\q')  Z  {w,q)  such  that  ^''^,,  ^,(2)  =  ^',,,,,(2), 
and  let  B  be  the  set  of  minimal  elements  of  V  with  respect 
to  the  prefix  ordering  <.  Then,  by  Lemma  3.7  the  function 
defined  as; 

(i)  %,Jz)  =  ^'.,,-,,'(2)  if  y  £  B  and  = 

'^w.qiv)  and  2  >  t/ 

(ii)  ^[u,q{z)  =  ’^w.qiz)  if  2  €  T„,  but  z  ^  Ty  for  any 
yeB, 

is  an  accepting  run  of  A  on  Tt,,.  It  is  also  easy  to  see  that 
'^[„,q{w)  =  q,  so  as  we  just  defined  it  is  an  accepting 
multirun  and  is  equivalent  to  T.  We  leave  it  as  an  exercise 
for  the  reader  to  show  that  T'  is  indeed  uniform.  ■ 

In  order  to  construct  a  family  (p‘^'),,£{o.!}-  'S  not 
enough  to  know  a  multirun.  This  is  because  only  the  val¬ 
ues  p^’{w)  where  u>  ^  v  arc  kept  in  a  multirun.  To  get  the 
values  of  p'f  w)  where  v  <  v,  we  need  an  additional  piece 
of  information: 

Definition  3.8  For  a  given  inultirun  its  co-multirun, 
which  will  he  denoted  as  co'I'  is  a  function  with  domain 
{0, 1}*,  whose  values  are  subsets  of  Q,  defined  by  induc¬ 
tion  as: 

(i)  coT(£)  =  Qq; 

(ii)  q[)  £  coTj  wO)  if  and  only  if  there  exist  q  £ 

and  r/i  G  Q  such  that  {wl.qi)  £  dom{'^)  and 
{q,  {r{w),x))  (qo-qi)  is  a  rule  of  A: 

(iii)  qi  £  co^I>(wl)  if  and  only  if  there  exist  q  £  co^{w) 
and  go  £  Q  such  that  (u’O.go)  £  dom{^)  and 
(<7>  {T{'w), .?:))  ->  (go,  gi)  is  a  rule  of  A. 


Notice  that  cod'  only  depends  on  the  domain  of  if 
dr  and  d*'  are  equivalent  then  cod'  equals  to  cod''.  So,  by 
Lemma  3.6  for  every  multirun  there  exists  a  uniform  one 
with  the  same  co-multirun. 

The  following  lemma  says  that  the  information  carried 
by  a  multirun  and  its  co-multirun  is  indeed  everything  we 
need: 

Lemma  3.9  Let  Abe  a  search  automaton,  over  an  alphabet 
E  X  {.T,  x}.  Let  T  be  a  tree  over  S  and  let  T"  be  defined 
like  in  Lemma  3.1.  Then  the  following  two  conditions  are 
equivalent: 

(i)  For  every  v  £  {0, 1}*  the  automaton  A  accepts  the 
tree  T'^. 

(ii)  There  exists  an  accepting  multirun  d'  on  T  such  that: 
(X)  for  every  v  £  {0, 1}*  there  exist  q,  go,  q\  such  that 
both  {vO,  go)  and  (ul,  gi)  are  in  the  domain  o/d/,  that 
q  €  cod'(!;)  and  that  (g,  {T{v),x))  — >  (go,gi)  is  a 
rule  from  R. 

Notice  that  by  Lemma  3.6  and  by  the  remark  just  above 
the  last  lemma  we  could  equivalently  write  ’’exists  an  ac¬ 
cepting  uniform  multirun”  in  the  first  line  of  the  second  item 
in  the  lemma. 

Proof:  (ii)=>(i).  Let  d'  be  a  multirun  as  in  (ii)  and  let  v  £ 
{0, 1}*.  We  need  to  define  an  accepting  initial  run  p  of  A  on 
I’*'.  There  are  g.go.gi  such  that  g  £  co'I'(v),  both  (t;0,go) 
and  (tT.gi)  arc  in  the  domain  of  d'  and  (g,  (T(v),x))  — > 
(go.gi)  is  a  rule  from  R.  Define  p(v)  =  q.  For  w  >  t:0 
define  p{u’)  as  d',,o,q„(i/0  and  for  w  >  wl  define  p{'w)  as 
("')•  Now,  if  V  =  e  then  what  we  defined  is  already 
an  initial  accepting  run.  If  not,  let  v  —  yO  for  some  y  (the 
case  when  r  =  yl  is  obviously  symmetric).  From  tbc  fact 
that  g  £  cod'(c)  and  from  the  definition  of  cod'  we  get 
that  there  arc  g^  and  g^i  such  that  (yl,gyi)  £  dom{'i>)  and 
(qy.  {T{y),  x))  ->  (g.  g^i)  is  a  rule  of  A.  Define  p{y)  =  qy 
and  for  m  >  yl  define  p((/^)  =  Then  continue 

this  process  until  the  root  of  the  tree  is  reached.  It  is  not 
hard  to  check  that  the  defined  function  p  is  indeed  a  run  as 
needed, 

(i)=>(ii).  For  each  v  let  p'-'  be  an  initial  accepting  run 
of  A  on  T''.  We  first  define  the  domain  of  d/  as  the  set  of 
all  pairs  (m.  g)  such  that  there  exist  at  least  one  v  such  that 
p^{u')  =  q  and  c  ^  w.  Then,  for  each  {w.q)  G  (iom(d') 
we  fix  one  such  v  and  define  d'i,.,y(iy)  =  p'’{y)  for  y  >  xv. 
It  is  obvious  that  d'  is  an  accepting  multirun.  To  prove  that 
d/  satisfies  condition  (X)  wc  need: 

Lemma  3.10  p'^{w)  £  co'l/{w)  for  each  v  G  {(),1}*««('/ 
each  w  <  v. 

Proof:  By  item  (i)  of  Definition  3.8  this  is  true  for  m  =  e. 
Then  use  induction  on  the  length  of  m.  ■ 
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Now,  to  finish  the  proof  of  Lemma  3.9  we  notice  that 
the  triple  p'^ (v) ,  p'^  {vO) ,  {vl)  of  states  from  Q  is  a  cor¬ 

rect  candidate  for  the  triple  q,qo,qi  whose  existence  is 
postulated  by  condition  (X):  {vQ,p^{vQ))  and 
are  in  the  domain  of  by  the  last  lemma  we  have  that 
p^iv)  e  co^'(t))  and,  since  p"  is  a  run  of  A  on  T'",  we  have 
that  {p^{v),  {T{v),x))  {p" {vQ) ,  p^ {v\))  is  a  rule  from 

R.  ■ 

3.2  An  intermediate  step 

As  an  intermediate  step  between  multiruns  and  automata 
we  consider  ranked  multiruns: 

Definition  3.11  Let be  a  uniform  multinm.  r/zen  the  rank 
on  is  a  function  f  such  that: 

(i)  The  domain  off  are  all  the  tuples  (w,  q,  v)  such  that 
{w,  q)  is  in  the  domain  of'^  and  w  <  v; 

(ii)  The  values  of  f  are  natural  numbers  from  the  set 

(Hi)  if  and  only  if  4){wi,qi,v)  = 

<Piw2,q2,v); 

(iv)  <p{w,q,v)  >  6{w,q,v0)  and  4>{w,q,v)  > 

(t>{w,q,vl); 

(v)  If  4){w,  q,v)  =  k  and  f{w,  q,  uO)  <  k  then  there  is  no 
pair  {w',  q’)  such  that  f{w',  q',  uO)  =  k.  The  same  for 
vl:  if(f){w,q,v)  =  k  and  4>{w,q,vl)  <  k  then  for  no 
pair  {w',  q')  it  can  be  that  f{w' .q',  vl)  =  k. 

Ranks  are  a  way  how  we  are  going  to  organize  the  mem¬ 
ory  of  vA  to  store  a  uniform  multirun:  (p{w,q.  v)  —  k  can 
be  understood  as  ”in  the  node  v  the  run  is  kept  in  the 
register  k”.  If  two  runs  and  ^'^,2.92  are  equal  on 

some  V  then  they  remain  equal  forever  (on  the  whole  tree 
Ty)  and  we  do  not  need  to  make  a  difference  between  them 
any  more.  This  is  why  we  rank  them  as  equal  on  v,  thus 
keeping  them  in  the  same  memory  register  (item  (iii)).  It 
may  also  happen  that  two  runs  and  were  not 

equal  on  some  v  yet,  but  they  are  equal  on  vO  (or  vl),  and 
thus  remain  equal  on  Tyo  (Tyi).  Then,  while  moving  from  v 
to  vO,  we  change  the  number  of  the  register  where  one  of  the 
runs  is  remembered.  Item  (iv)  gives  us  a  hint  how  this  will 
be  done:  we  change  the  rank  of  the  run  which  was  ranked 
higher  so  far.  But  since  we  only  can  decrease  the  rank  of  a 
run,  such  a  change  can  only  happen  (on  a  fixed  path)  finitely 
many  times.  This  observation  can  be  formalized  as: 


Let  us  also  explain  the  role  of  the  last  item  in  Definition 
3.1 1.  It  is  possible  that  some  run  '^iyi,gi  has  rank  A:  on  some 
V,  and  then,  on  v'  >  v  it  already  has  rank  k'  <  k.  But 
the  memory  register  k  must  be  reused:  there  is  another  run 
'^W2,q2  which  has  rank  k  on  v' .  We  need  to  give  vA  a  chance 
of  seeing  that  and  ^'tu2,92>  despite  being  kept  in  the 

same  memory  register,  are  two  different  runs.  The  way  we 
do  it  (in  item  (v))  is  that  we  secure  that  there  is  a  node  v" 
between  v  and  v'  when  the  register  k  is  empty:  no  run  has 
rank  k  on  v". 

This  subsection  would  be  incomplete  without: 

Lemma  3.13  For  every  uniform  multirun  of  A  there  is  a 
function  f  which  is  a  rank  on 

Proof:  Use  the  same  kind  of  inductive  construction  as  in 
the  proof  of  Lemma  3.5.  The  only  new  thing  here  is  that 
we  must  show  that  it  is  enough  to  have  only  2\Q\  different 
ranks.  But  since  two  runs  which  are  equal  on  v  have  the 
same  rank  on  v  we  actually  only  need  |Q|  different  numbers 
to  rank  them .  The  remaining  |  Q  |  are  needed  because  of  item 
(v)  of  the  definition  of  rank.  ■ 

3.3  The  automaton  vA 


Now  we  are  ready  to  define  the  automaton  vA.  The  set 
of  the  states  of  vA  consists  of  all  possible  tuples  of  the 
form:  (5,  si,  52;  ■  •  •  'S2|(3|)>  where  S  C  Q  and  each  Sj  is  ei¬ 
ther  1  or  is  itself  a  tuple  (g,io,  ji)  where  q  e  Q  and  jo,  ji 
are  natural  numbers  from  the  set  {1, 2, ...  i}.  This  defini¬ 
tion  hardly  comes  as  a  surprise  for  a  reader  who  understood 
the  two  previous  subsections:  the  tuples  Sj  are  the  registers 
where  vA  will  remember  the  runs  of  some  uniform  multirun 


T".  If  Si  =  {q,jo,ji)  in  some  node  w  then  q  is  the  value  on 
w  of  all  the  runs  with  rank  i,  and  jo,  ji  are  ranks  of  the  runs 
on  wO  and  wl.  Finally,  S  is  where  coT'  is  going  to  be  kept. 
Having  this  explanation  on  mind  it  is  easy  to  guess  that: 

((5,  Si,  52,  •  •  •  S2|Q|)i  a)  ^ 

((5*^.  Sj, s®, . . .  S21Q1),  (S^,  s},  S2,  •  ■  ■  s^iQi)) 

is  a  rule  from  the  set  R^  of  the  rules  of  vA  if  the  follow¬ 
ing  conditions  hold: 


(i)  Ifs,  =  (g,  jo,  ji)  then  neither  is  1.  Ifs°^  = 

{qoi'nrio,mi)  ands]^  =  (gi,no,ni)  then  (g,  (a,x))  ^ 
(go ,  gi )  is  a  rule  of  the  automaton  A. 

(ii)  If  Si  =  {q,jo,ji)  and  jo  <  i  then  =  ±.  And  also, 
if  Si  =  {qjoji)  and  ji  <  i  then  sj  =  X. 


Lemma  3.12  Suppose  Wi,W2,.  ■  ■  is  a  path,  the  pair  {w,  q) 
is  an  element  of  the  domain  of  a  uniform  multirun 
w  <  Wl  and  f  is  a  rank  on  Then  the  sequence: 
<j>{w,q,wi),f{w,q,w2),(t>{w,q,w-i)...  is  non-increasing 
and  thus  constant  from  some  point. 


(iii)  gi  e  if  and  only  if  there  is  g  e  5  and  s°  = 
(go,jo,ji)  such  that  (g,  (a.x))  — >  {qo,qi)  is  a  rule 
of  the  original  automaton  A.  Symmetrically,  go  €  5° 
if  and  only  if  there  is  g  e  5  and  s}  =  (gi,  jo,  ji)  such 
that  (g,  (a,  x))  (go,  gi)  is  a  rule  of  A. 
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(iv)  There  exist  q  e  S,  =  {qo,'no,ni),  and  sj,  = 
{qi,nQ,n[)  such  that  {q,{a,x))  (ryo^fyi)  is  a  rule 
of  A 


To  end  the  construction  of  the  automaton  wc  define 
Qq  to  be  the  set  of  such  states  (5,  si,  S2,  ■  ■  ■  •S2!qi)  £ 
that  S  =  Qo  and  for  each  accepting  condition  Fj  G 
{Fi,F2...Ft}  of  the  automaton  A  we  define  2|Q|  ac¬ 
cepting  conditions  F/,  Ff  . . .  of  the  automaton  v2l, 

where  (5,  Si,  S2, . . .  S2|q|)  €  F/  if  and  only  if  Sj  =  T  or 
Sj  =  {q,jo,ji)  andq  G  F,. 


It  is  easy  to 
condition  (L)  and 
tomaton:  If 


check  that  v^l  satisfies 
therefore  is  a  search 
((S,si,S2,...S2|Q|),a) 

))  is  a 


1 

2101^ 


the 

au- 

rulc 


and  if  i  is  such  that 


and  s-  are  not  equal  to  1, 


then  s^  =  (<?,  jo.ji).  and,  by  item  (ii),  i  =  jo  =  j,.  By 
item  (i),  =  (ryoAoAi)  and  s]  =  (qi.mo.mi)  where 

{q,{a,x))  — >  {qo,qi)  is  a  rule  of  the  automaton  A.  It 
follows  that  one  of  the  states  q,  qo,qi  is  in  Fj  and  thus  one 
of  s,:,  s°,  sj  is  in  Fj. 

Now,  Lemma  3.1  will  follow  from  Lemma  3.9  and  from: 


But  by  the  construction  of  '1',^..,,  there  exists,  for  each  i,  a 
number  such  that  fF{x,)  =  {S\  s\,  and 

S/,  =  ?)().  n\)  for  some  rig,  rij  <  h,.  It  also  fol¬ 

lows  from  the  construction  that  /i,>i  either  equals  to  tiq  or 
to  7r'|,  so  that  /'  ;  +  !  <  h  ,.  The  last  observation  implies  that 
the  sequence  hi.  h^-  /13  . . .  stabilizes:  there  exist  numbers 
io  and  h  such  that  h,  —  h  if  i  >  ?o.  To  finish  the  proof  wc 
consider  the  sequence  .sjj  .  ^ 

wc  said,  the  same  as  .sjj.  . . ..  None  of  the  ele¬ 

ments  of  the  last  sequence  is  T,  so,  since  is  accepting  we 
get  (by  the  accepting  condition  Fj")  that  infinitely  many  of 
the  elements  of  the  last  sequence  arc  of  the  form  {q' ,  n,  rn) 
where  q'  G  Fj . 

(ii)=>(i).  Let  ^  be  an  accepting  multirun  on  T  satisfying 
the  condition  (X)  from  Lemma  3.9,  and  let  (jhc  a  rank  on 
Define  p^{w)  as  a  tuple  (5.  .si,  .S2,  ■ . .  ■S2|Qi)  such  that: 

(i)  S  = 

(ii)  .s,  =  {q.ja-ji)  'f  there  exist  r/  G  Q  and  t>  <  u’ 

such  that  —  q  atid  <l>{v.q',  w)  =  i  and  also 

4>{r.q'.  v’0)  =  jo  and(p{i\q\  u'l)  -  ji 


Lemma  3.14  For  every  tree  T  over  E  the  two  condition.^ 
are  equivalent: 

(i)  There  exists  an  initial  and  accepting  run  /F  of  vA  on 
T. 

(ii)  There  exists  an  accepting  nniltirun  'it  on  T  satisfying 
the  condition  (X)  front  Lemma  3.9 

Proof:  (i)=^>(ii).  Let  p^  be  an  initial  and  accepting 
run  of  \tA  on  T.  Let  eoit{w)  be  S  where  p'^{u’)  — 
(5,  .si,  .S2, .  • .  •S21Q1).  Define  doTn{'i')  as  the  set  of  all  pairs 
{w,q)  such  that  there  exists  i.  jo,j\  such  that  p^{n')  = 
(5,  ,Si,.S2,....S2|Q|)  and  s,  =  {qjo-ji)-  Wc  need  to 
show  how  to  extract  the  run  5',,.,,  from  p'^ .  First  de¬ 
fine  'itu,^q{w)  =  q.  Notice  that  if  now  p^{irO)  = 
(5'°,,s?,s^,....s°q,),  and/7^(u'l)  =  (5*,  ,s[ ,  .s^, . . .  .st|^|) 
then  (by  item  (i)  of  the  definition  of  a  rule  from  F^)  wc  have 
that  =  (qopno.ni)  and  .sj^  =  {qi.mo.mi)  for  some 
qo,qi:no:ni,7no,mi.  Thus  we  can  define  =  qo 

and  'itu,^q{wl)  =  qi,  and  then,  by  induction,  wc  can  define 
in  this  manner  for  any  v  >  w,  so  that  ^(u'.ry)  is  a 

run  of  A  on  T,„.  By  definition  of  Qg  and  by  item  (iii)  the 
three  conditions  of  Definition  5  hold  and,  by  item  (iv),  the 
multirun  ^  satisfies  the  condition  (X).  What  still  needs  to  be 
shown  is  that  it  is  accepting.  In  order  to  prove  it  wc  fix  ir.  q 
and  show  that  'it{w,  q)  is  an  accepting  run  of  A  on  Fu,.  Con¬ 
sider  a  path  .X] ,  .X2.  X), . . .,  where  xi  >  w  and  an  accepting 
condition  Fj  from  the  set  of  accepting  conditions  of  A.  Wc 
want  to  show  that  elements  from  Fj  occur  infinitely  many 
times  in  the  sequence  ^'i,;,q(.Xi),  ^'i,;,.,(:i:2) . 


(iii)  .s,  =  ±  if  such  v.  q'  as  above  do  not  exist. 

It  is  easy  to  check  that  what  wc  defined  in  this  way 
is  indeed  an  initial  run  of  A^ .  What  still  needs  to  be 
shown  is  that  it  is  an  accepting  run.  In  order  to  prove  it 
wc  consider  a  path  .vi.  :r>.  .vg  . . .  and  an  accepting  condi¬ 
tion  Fj.  from  the  set  of  accepting  conditions  of  v/1.  Let 
yF(.r,)  =  (S',  .s', .  .S2. . . .  a'’^[q|).  What  wc  need  to  show 
is  that  the  sequence  .s' .  .ff.  .sj  . . .  contains  infinitely  many 
1  symbols  or  it  has  infinitely  many  elements  of  the  form 
{q.  11.  m)  with  q  G  F;-.  Suppose  there  arc  only  finitely  many 
±  symbols  among  the  clement  of  the  sequence.  So  there  is 
70  such  that  none  of  the  .sj,  where  ?  >  y'o,  is  a  1.  By  the  item 
(i)  of  the  definition  of  rank  this  implies  that  there  exist  w,  q 
such  that  06(77'.  7/.  :r, )  =  I  for  7  >  ig.  Since  is  an  ac¬ 
cepting  run  of  .4,  wc  have  that  infinitely  many  of  'I'i,.,,,(.7:,j 
arc  in  F/,.  But  if  only  ?  >  ?'o  then  .sj  =  (4'„,,,,(:7,y),  773. 777,) 
for  some  77,.  777,.  ■ 
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4  Appendix:  An  elementary  proof  of  the  fact 
that  EGFP  is  not  in  monadic  Sj 

We  begin  the  proof  with  a  definition: 

Definition  4.1  Let  x  be  a  vertex  of  a  infinite  binary  tree  T 

colored  with  some  monadic  relations  Pi,  P2,  ■  ■  ■  Pi-  Sup¬ 
pose  k  is  some  fixed  natural  number. 

(i)  By  the  vertex  type  of  x  we  will  mean  the  set  u{x)  C 
{1, 2  . . .  (}  such  that  Pfx)  holds  if  and  only  if  i  g 
u{x). 

(ii)  By  the  neighborhood  type  ofx  we  mean  the  triple 

U{x)  =  {u{x) ,  u{x0) ,  u{xl)) 
of  the  vertex  types  ofx  and  its  both  children. 

(Hi)  A  tree  type  U  is  a  function  whose  arguments  are 
neighborhood  types  and  values  are  natural  numbers 
0,1,...  A:. 
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(iv)  A  tree  T  colored  with  Pi,  P2, . . .  Pi  has  the  tree  type 
U{T)  if  for  each  neighborhood  type  U  the  number  of 
vertices  of  this  type  in  T  is  k-eqnal  to  {U{T)){U).  Two 
numbers  are  understood  to  be  k-equal  if  they  are  equal 
or  if  they  are  both  greater  or  equal  to  k  ( in  the  last  case 
one  of  them,  or  both,  may  he  infinite). 

(v)  A  perfect  tree  type  is  a  pair  {U,  U),  where  U  is  a  tree 
type  and  U  is  a  neighborhood  type.  A  tree  T  has  per¬ 
fect  tree  type  kU,U)  ifU  is  its  tree  type  and  U  is  the 
neighborhood  type  of  its  root. 

By  locality  of  first  order  logic  and  by  acyclicity  of  the 
infinite  tree,  in  order  to  prove  Theorem  2.4  it  is  enough  to 
show: 

Lemma  4.2  For  every  natural  number  k  there  exists  an  in¬ 
finite  monadic  tree  colored  with  Pi  in  a  ur/y  satisfying 
property  (*)  such  that  for  every  being  an  extension  ofT^ 

by  monadic  relations  P^,  Pi  ...  Pi  there  is  a  monadic  tree 
colored  with  the  same  relations  as  T',  not  satisfying 
property  (*)  and  of  the  same  perfect  tree  type  as  7’’ 

Proof  of  Lemma  4.2  will  occupy  the  rest  of  this  section. 
For  two  tree  types  Hi  and  H2  let  Ui  -<  U>  mean  that 
Hi{U)  <  U'ziU)  for  every  neighborhood  type  U.  Notice 
that  for  fixed  I  and  k  there  is  only  some  finite  number  of 
tree  types.  So  the  partial  order  is  well-founded. 

Definition  4.3  Let  T  he  the  infinite  monadic  tree  colored 
with  monadic  relations  Pi,  P-i.  Pi  ...  Pi,  let  T'  be  another 
tree  of  this  kind  and  let  x  be  a  vertex  ofT.  Then:  7’[.r  <— 
T^\  is  "T  with  Tr  substituted  with  T'  ”  or,  to  be  more 
precise,  the  infinite  binary  tree  colored  with  monadic  re¬ 
lations  Pi.  Pi,  P'i  ...  Pi  in  such  a  nay  that  Pfiq)  holds  in 
T[x  ^  T^]  if: 

(i)  Pi{y)  holds  in  T  and  x  is  not  a  prefix  of  ij  or 

(ii)  P,{z)  holds  in  and  y  =  xz 

It  is  easy  to  .sec  that: 

Lemma  4.4  If  x,  y  are  two  vertices  of  a  colored  tree  T, 
such  that  y  <  x  then  U{Ty)  -<  U{T^). 

The  last  lemma  and  wcll-foundcdncss  of  ^  give: 

Lemma  4.5  Let  xi,  xj,  X3  .  . .  he  an  infinite  sequence  of 
vertices  of  some  T  such  that  x,  <  x,+i  for  each  i.  Then 
there  is  a  number  uq  such  that  for  every  n  >  noU  (7V„  )  = 

Definition  4.6  A  tree  type  U  will  he  called  ultimate  if  for 
every  neighborhood  type  U  eitherU{U)  =  QorU{U)  =  k. 

Lemma  4.7  Let  xi,X2,X3  . . .  be  an  infinite  sequence  of 
vertices  of  some  T  such  that  x,  <  .t,  +  1  for  each  i  and  let  no 
he  the  number  from  Lemma  4.5.  Then  the  tree  typeU{Lf^^  ) 
is  ultimate. 


Lemma  4.8  Let  xi,  X2,  X3  . . .  be  an  infinite  sequence  of 
vertices  of  some  T  such  that  .t,  <  .t,  +  i  for  each  i  and  let 
no  he  such  a  number  that  all  for  n  >  Uq  have  the  same 
ultimate  tree  type  lA  (such  a  number  exists  by  Lemma  4.7). 
Then  there  exists  nj  >  no  such  that  if  n  >  rii,  ifT^  is  a 
tree  such  thatU{T^)  -<  U  and  if  the  vertex  type  of  the  root 
ofT'^  is  the  .same  as  vertex  type  of  Xn  then  the  perfect  type 
ofT  is  equal  to  the  perfect  type  o/T[.r„  «—  T^]. 

It  is  time  now  to  define  the  tree  T°  from  Lemma  4.2.  In 
order  to  do  it  it  is  enough  to  specify  the  predicate  Pi .  Let  m 
be  the  number  of  distinct  vertex  types.  Then  we  put  Pi  = 
{0'"^'  ;  k  €  fif}.  Obviously  7’°  satisfies  the  property  (*). 
Now  consider  some  fixed  tree  T'  being  an  extension  of 
by  monadic  relations  P2,  Pi  ...  Pi.  We  need  to  show  that 
there  is  a  monadic  tree  colored  with  the  same  relations 
as  not  .satisfying  property  (*)  and  of  the  same  perfect 
tree  type  as  T'. 

Let  .r,  =  0’  and  let  iii  be  the  constant  from  Lemma  4.8. 
We  consider  two  numbers  jo  <  ji,  both  greater  than  ni, 
and  such  that: 

(i)  the  vertices  O-"'  and  0^'  have  the  same  vertex  type  in 

(ii)  if  r?  =  0  mod  m  then  either  n  <  jo  or  ji  <  n. 

Notice  that  the  last  condition  implies  that  if  .t  is  on  the  path 
from  Qf"  to  0^  then  x  ^  Pi. 

Now,  define  T  *  as  the  tree  where  x  €  Pi  if  and  only  if 
the  following  condition  holds: 

X  =  “■'"*!/  for  some  y,  0^  is  not  a  prefix  of  y,  and 

Qb'y  g  P,  holds  in  T'. 

Obviously  the  vertex  type  of  the  root  of  T'^  is  the  same 
as  the  vertex  type  of  the  root  of  Tj^^.  It  is  also  easy  to  .sec 
that  UfT'^)  <  So  by  Lemma  4.8  the  tree  T'^  = 

^  '[•'■jo  ^  has  the  same  perfect  type  as  T'.  To  finish 
the  proof  of  Lemma  2.4  we  observe  that  since  Pi  docs  not 
occur  in  7'^  there  arc  only  finitely  many  vertices  in  predicate 
Pi  in  7  so  the  property  (*)  docs  not  hold  in  T^.  ■ 
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Abstract 

We  will  answer  questions  due  to  A.  Blass  and  Y.  Gurevich 
on  definability  of  order  in  the  first-order  logic  with  Hilbert’s 
epsilon  operation.  E.g.,  we  will  show  that  a  linear  ordering 
is  almost  surely  definable  in  models  with  random  choice. 

There  is  a  well-known  discrepancy  between  computa¬ 
tional  and  descriptive  complexity  in  finite  models.  For  in¬ 
stance,  a  finite  automaton  can  check  whether  the  number  of 
elements  in  any  given  finite  set  is  even  or  odd,  even  though 
this  property  is  not  expressible  in  either  monadic  S}  or 
IFF  (inflationary  fixpoint  logic).  The  difference  apparently 
arises  from  the  fact  that  the  data  in  a  computer’s  memory  are 
always  linearly  ordered,  even  if  the  ordering  is  random.  In 
the  presence  of  a  linear  ordering,  there  is  a  much  nicer  cor¬ 
respondence  between  computational  and  descriptive  com¬ 
plexity  classes.  In  particular,  parity  becomes  definable  in 
both  monadic  E }  and  IFF.  It  is  natural  to  ask  if  a  similar  de¬ 
scriptive  strength  can  be  obtained  with  weaker  extensions 
of  the  various  logics. 

In  recent  years,  several  people  have  introduced  strength¬ 
enings  of  the  first-order  logic  by  a  choice  operation  in  de¬ 
scriptive  finite  model  theory,  see  the  witness  operation  by 
S.  Abiteboul  and  V.  Vianu  in  [1]  and  Hilbert’s  epsilon  oper¬ 
ation,  introduced  by  D.  Hilbert  and  F.  Bernays  in  §  8  of  [4] 
in  a  restricted  context,  and  discussed  by  A.  Blass  and  Y. 
Gurevich  in  [2].  Choice  operations  are  easy  to  define  from 
a  global  linear  ordering  and  hence  easy  to  compute.  More¬ 
over,  they  are  a  natural  concept  in  programming. 

In  this  paper  we  study  the  expressive  power  of  Hilbert’s 
epsilon  operation.  In  [2],  the  e-logic  is  defined  as  follows. 
The  syntax  of  the  e-logic  is  defined  as  that  of  the  first-order 
logic  with  the  following  additional  rule:  If  (p{vi,y)  is  a  for¬ 
mula  of  the  e-logic,  then  £Vi(l>{vi,y)  is  a  term.  An  e-model 
{A,  E)  is  a  model  A  together  with  a  choice  operation  E, 

*  Research  partially  supported  by  the  Academy  of  Finland,  grant  40734, 
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i.e.,  £  is  a  function  from  the  power  set  of  ^  to  ^  such  that 
for  all  non-empty  X  C  A,  E{X)  £  X.  Then  the  inter¬ 
pretation  of  £Vi4>{vi,d)  in  an  e-model  {A,E)  is  defined  to 
be  E{(j){A,d)).  Otherwise  the  semantics  of  the  e-logic  is 
defined  as  the  semantics  of  the  first-order  logic. 

Very  little  is  known  about  the  expressive  power  of  the 
e-logic  (in  finite  models).  However,  it  is  known  that  the 
e-logic  is  more  expressive  than  the  first-order  logic  by  the 
work  of  M.  Otto  ([6]).  In  [2],  the  following  three  questions 
were  asked  among  others: 

1.  Is  the  standard  order  uniformly  definable  in  e-logic? 

2.  Is  the  last  element  of  the  standard  order  uniformly 
definable  in  e-logic? 

3.  Is  some  linear  ordering  uniformly  definable  in  e- 
logic? 

By  the  standard  order  we  mean  the  usual  ordering  one  gets 
from  a  choice-function:  For  finite  e-models  {A,E)  and 
n  <  u,  we  define  .4"  so  that  A°  =  A  and  = 

A'^  —  {£1(.4”)}.  Then  a  is  smaller  or  equal  to  h  in  the 
standard  order  if  for  all  n  <  w,  a  £  yl"  implies  6  £  .4". 
The  existence  of  such  an  ordering  shows  that  all  e-models 
are  inherently  rigid. 

In  this  paper,  we  will  give  a  negative  answer  to  the  first 
two  questions  (even)  in  finite  e-models.  Notice  that  the  stan¬ 
dard  order  is  easily  definable  in  FO-l-e+IFF,  see  [3],  and  no- 
tiee  further  that  this  means  that  FO+e+IFF  is  the  same  as 
FTIME. 

The  third  question  appears  to  be  much  harder,  and  our 
partial  result  stems  from  a  failed  attempt  to  solve  it  by  a  very 
straightforward  random  choice  argument.  Contrary  to  our 
expectations,  we  found  out  that  there  is  an  £-formula  which 
almost  surely  defines  a  linear  ordering  in  finite  e-models. 
This  leaves  open  an  interesting  question.  Our  result  im¬ 
plies  that  any  property  which  is  almost  surely  definable  on 
randomly  ordered  structures  is  also  almost  surely  definable 
on  e-structures  with  a  random  choice.  On  the  other  hand, 
any  property  that  is  definable  on  all  finite  e-structures  is  de¬ 
finable  on  all  linearly  ordered  finite  structures.  We  do  not 
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know  whether  either  of  these  implications  can  be  reversed. 
The  reversibility  of  the  latter  implication  is,  of  cour.se,  the 
question  we  originally  tried  to  answer. 

1  Almost  surely  definable  ordering 

In  this  section  we  will  sketch  a  proof  of  the  fact  that  a 
linear  ordering  is  almo.st  surely  definable  in  e-logic. 

We  shall  start  the  proof  of  the  main  theorem  of  this  sec¬ 
tion  (Theorem  1  below)  by  fir.st  explaining  the  general  out¬ 
line  and  looking  at  some  of  the  details  afterwards.  In  the 
more  informal  part,  expressions  such  as  ’’with  high  proba¬ 
bility”  mean  that  the  limit  probability  of  the  claim  holding 
in  a  random  e-modcl  is  1.  Our  techniques  resemble  those 
that  Matt  Kaufmann  used  in  [5]  to  handle  monadic  second- 
order  logic,  and  his  article  gave  us  some  ideas  for  simplify¬ 
ing  ours. 

We  will  use  the  following  notion  repeatedly.  If  .4  C  B, 
X  E  B  and  R  C  we  write  .4/j[x]  for  the  set  {y  £ 
A\R{x,  y)},  and  we  say  that  x  R-codes  the  set  .4/j[j:]  in  .4. 

Without  loss  of  generality,  we  can  assume  that  the  vocab¬ 
ulary  of  our  e-modcls  is  empty.  So,  suppose  we  are  given  a 
random  e-modcl  =  (M',  E').  Wc  define  a  new  random 
e-model  9)1  =  (M,  E)  inside  dJl',  with  a  certain  fixed 
vocabulary  L  that  contains  everything  needed  in  the  rest  of 
the  proof. 

In  the  new  model  there  is  a  random  unary  function  F. 
With  high  probability,  there  is  a  point  a  whose  preim¬ 
age  under  F  is  somewhat  smaller  than  log  |A/|,  but  larger 
than  21oglog|A/|.  Let  .4  be  the  preimage  of  a.  There  is 
a  subset  B  C  ,4  of  size  logarithmic  in  |.4i  such  that  a  bi¬ 
nary  relation  R,  is  a  linear  ordering  on  B.  Moreover,  it  is 
very  likely  that  there  is  a  parameter  h  £  M  that  1  o-codes  B 
in  A,  where  Vq  is  a  random  binary  relation.  Hence,  wc  have 
a  parameter  definable  .set  B  with  a  definable  linear  ordering 
such  that  |B|  >  log  log  log  m  +  1. 

Every  x  £  M  V^codes  a  subset  of  B,  where  V'l  is  an¬ 
other  random  binary  relation.  With  the  help  of  the  choice 
operator,  we  can  pick  a  set  Bi  such  that  for  each  C  C  B 
coded  by  some  x  £  M  there  is  exactly  one  y  £  Bi  that 
Vi -codes  C  in  B.  On  the  other  hand,  the  ordering  of  B  in¬ 
duces,  in  a  natural  way,  a  linear  ordering  on  Bj.  With  high 
probability,  |Bi|  >  log  log  m.  Wc  can  iterate  this  construc¬ 
tion,  this  time  looking  at  .sub.sets  of  Bj  that  arc  V2-codcd  by 
elements  of  M.  This  way,  wc  get  definable  sets  B2  and  B3, 
each  of  them  with  a  definable  linear  ordering.  Moreover, 
with  high  probability,  B3  =  M ;  hence  the  whole  model 
carries  a  definable  linear  ordering.  Finally,  wc  show  how  to 
get  rid  of  the  parameters  that  wc  used  in  the  construction. 

After  this  overview,  wc  will  state  the  claim  and  give  the 
proof  in  more  detail. 

The  formula 

\fxy{x  =  2/0  {ip{x,y)Aip{y,x)))Ayxy{ip{x,y)Vfp{x,y)) 


AVxyy{{ip{x,y)  Aifi{y,u))  O  ip{x,u)), 

expressing  the  condition  that  ip{x,  y,  z)  defines  a  linear  or¬ 
dering,  is  denoted  by  Lin^(z),  where  z  is  a  (possibly  empty) 
sequence  of  parameters.  For  n  £  N,  let  6„  be  the  .set  of  all 
£-modcls  (M;  E)  such  that  M  =  {0, . . . ,  n  -  1}. 

Theorem  1  There  is  an  e-fonnula  ip(x,  y)  which  defines  a 
linear  ordering  in  a  random  finite  e-model  with  limit  proh- 
ahility  1,  that  is. 

|{9)Ig6„:9)INLin^}|  ^ 

|6„| 

Proof.  The  theorem  will  follow  from  the  sequence  of  lem¬ 
mas  proved  below.  □ 

Assume  that  9)1'  =  {M\E')  is  a  finite  e-model  with 
the  empty  vocabulary  such  that  |A/'|  =  m  -f  9  for 

some  m  >  1.  Wc  first  define  another  model  Tl  = 
(M,  F,  B,  V'o,  I'l,  V2,  V3;  E)  within  9)1'  such  that  |A/|  =  rn, 
F  is  a  unary  function,  R  is  a  tournament,  i.c.,  an  irrcflcxivc 
binary  relation  such  that  exactly  one  of  R{x,  y)  and  R(;y,  x) 
holds,  and  the  V),  i  =  0,1,  2, 3,  arc  arbitrary  binary  rela¬ 
tions.  Moreover,  if  E'  is  chosen  randomly,  then  F,  Vq,  V), 
1 2,  V3  and  E  arc  random  and  mutually  independent.  The 
tournament  B,  on  the  other  hand,  is  directly  defined  from  F, 
since  wc  do  not  need  to  assume  it  to  be  random. 

Firstly,  define  oq,  •  •  • ,  to  be  the  first  nine  elements  in 
the  standard  linear  ordering.  That  is,  let  oo  =  E'{M'), 
O]  =  E'{M'  \  {oo}),  a>  =  E'{M'  \  {no,oi}),  and  so 
on.  Then,  let  M  =  M'  \  {uq,  . . . ,  os},  and  let  E  =  E'  \ 
V{M).  Further,  for  a  £  M ,  let  F'(a)  =  F'({«o}  U  M  \ 
{o},  and  let 

n,  ifF'(o)=Oo, 

F'{a),  otherwise. 

Define  B  by  {x,y)  G  B  O  E{{x,y})  /  y.  (This  implies, 
in  particular,  that  B  is  irrcflcxivc.)  Finally,  for  x,  y  £  M, 
i  —  0, 1,2,3,  define  \\{x,y)  to  hold  iff  either  x  /  y 
and  F({.t,  2/,  021+1 ,  n.’i+'z})  G  {x,  02,+i  },  or  .r  =  ?/  and 
F({.r,02,+  i})  =  X. 

It  is  fairly  ca.sy  to  .sec  that  the.sc  definitions  have  the  de¬ 
sired  properties.  For  independence,  it  suffices  to  check  that 
all  of  the  defined  relations  depend  on  the  values  of  E  on 
different  sets. 

Since  911  is  definable  inside  911'  without  parameters  and 
so  arc  all  elements  of  M'  \  M.  it  is  clearly  sufficient  to 
define  a  linear  ordering  in  911.  So,  from  now  on,  wc  work 
in  911.  Throughout  the  rest  of  the  section,  70  =  |A/|. 

Lemma  2  Let  F  :  M  M  be  a  random  function.  Then 
with  probability  approaching  I  as  m  00,  there  is  a  £  M 
such  that 

where  k'a  =  |F^'  [n]|. 
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Proof.  A  much  stronger  result  is  known,  but  we  sketch  a 
simple  argument  sufficient  to  prove  this  weaker  claim  we 
need. 

Firstly,  the  number  of  ways  to  choose  a  subset  X  C  M 
such  that  \X\  =  k  and  an  element  x  £  M  is  m(™).  Each 
such  pair  (X,  x)  satisfies  the  condition  X  C  F~^  [a;]  with 
probability  Hence  the  probability  that  there  exists 

X  £  M  such  that  >  fc  is  at  most 

m^~'‘  <  m/fc!  ->  0, 

if  >  m.  So,  with  limit  probability  1,  the  first 

inequality  is  true  for  all  a  £  M. 

On  the  other  hand,  let  Mq  U  . . .  U  Mk-i,  be  a  partition 
of  M  into  k  equal  parts,  supposing  for  simplicity  that  k  di¬ 
vides  m.  Let  Di  =  F[Mi].  If  there  is  some  Mi  such  that 
\Di\  <  \Mi\/k  =  m/k'^,  then  there  must  be  some  a  £  Di 
such  that  n  Mi\  >  k.  If  not,  let  Ei  = 

It  can  be  shown  by  induction  on  i  that  |Si|  >  m/(3A:/2)^* 
with  probability  approaching  1.  In  particular,  E^-i  ^  0. 
Fora  £  Ek-i,  |F’~^[a]|  >  k. 

The  exact  details  of  this  proof  are  rather  tedious  and  un¬ 
interesting,  and  we  omit  them.  □ 

Lemma  3  Let  n  €  N,  let  Abe  a  set  such  that  |  A|  >  2", 
and  let  R  C  be  a  tournament.  Then  there  is  asetBCA 
such  that  |H|  =  n  -I- 1  and  R  \  B  is  a  strict  linear  order. 

Proof.  Easy  Ramsey-type  induction  on  n.  For  n  —  0,  the 
claim  is  trivial.  Assume  then  that  the  claim  holds  for  n  =  k, 
and  consider  a  set  A  such  that  |A|  >  2^^+^  Choose  an 
arbitrary  element  a  £  A,  and  let  Aq  =  {x  £  A  :  R{x,a)} 
and  Ai  =  {x  £  A  :  R{a,  x)].  Now  AqU  Ai  =  A  \  {o}, 
and  hence  there  is  z  £  {0, 1}  such  that  \Ai\  >  2*.  By  the 
induction  hypothesis,  there  is  a  subset  B'  C  Ai  such  that 
|i?'|  =  A:  -h  1  and  i?  f  jB'  is  a  linear  order.  Now  the  set 
B  =  B'  U  {a}  witnesses  the  claim  forn  =  fc  -t- 1.  □ 

Lemma  4  Let  Abe  a  subset  of  M  such  that  |A|  =  A;  with 
[k/2\  <  m,  let  B  C  A,  and  let  Vq  C  be  a  random 

binary  relation.  Then  with  probability  approaching  I,  there 
isb  £  M  such  that  B  =  Avo  [&]. 

Proof.  A  single  element  y  £  M  fails  to  satisfy  the  condition 
with  probability  1  —  2“^,  independently  of  others.  Hence 
the  probability  that  no  element  satisfies  the  condition  is 

(1-2-*)'"  <6-'"/^''  ^0, 

as  m  00.  □ 


Corollary  5  Let  a  be  as  in  Lemma  2  and  let  A  =  F-^[a]. 
Then  with  probability  approaching  I,  there  are  a  parame¬ 
ter  b  £  M,  a  set  B  C  A  and  a  linear  ordering  <b  on  B 
such  that  B  and  <  b  are  e-definable  from  the  parameters 
a  and  b  and  that  m  < 

Proof.  Let  B  C  A  be  as  in  Lemma  3,  define  x  <b  y  if f 
R{x,y),  for  x,y  £  B,  and  let  6  G  M  be  such  that  B  = 
Avo[b].  □ 

Lemma  6  Let  U,  V  be  finite  nonempty  sets  such  that  |I7|  = 
u,  |y  I  =  V,  and  let  f  :  U  V  be  a  random  function. 

(i)  The  function  f  is  one-to-one  with  probability  at  least  1  — 

V?  I V. 

(ii)  The  function  f  is  onto  with  probability  at  least  1  — 
ue-"/". 

Proof.  Easy.  □ 

We  will  define  sets  Bi  and  linear  orderings  <*  on  them, 
respectively,  for  i  =  0, 1, 2, 3,  by  recursion  on  i.  Let  Bq  = 
B,  <o=<B-  Assume  then  that  Bj  and  <,  have  been  de¬ 
fined.  Firstly,  forx  6  M,  let  [x]i  =  {y  £  M\{Bi)v._^_^[y]  = 
(5i)vi+,N},  and  let  5i+i  =  {2;  G  M\x  =  E([x]i)]. 
Then,  for  x,y  £  Bj+i,  define  x  <*+1  y  iff  there  is  some 
z  £  Bi  sueh  that  Ri{x,  z)  but  not  Ri{y,  z)  and  that  for  all 
u  <i  z,  we  have  Ri{x,  z)  z). 

Lemma  7  The  sets  Bi  and  the  relations  <i  are  definable 
from  the  same  parameters,  a  and  b,  as  the  set  B  and  its 
ordering  <b  is.  Moreover,  each  <i  is  a  linear  ordering 
on  Bi. 

Proof.  Easy  induction  on  i. 

Clearly,  Bi+i  is  e-definable  from  the  same  parameters 
as  Bi.  Moreover,  <j+i  is  the  partial  ordering  corresponding 
to  the  lexicographic  ordering  of  V{Bi).  Since  Bi+i  con¬ 
tains  exactly  one  element  from  each  equivalence  class  [x],, 
the  ordering  <j+i  is  actually  linear.  □ 

Lemma  8  Fori  =  0,1,2,  |5,+i|  >  min(2l®'l,  (logm)-) 
with  limit  probability  1. 

Proof.  Consider  the  function  fi  :  M  ViBi),  ffx)  = 
(.Bi)vi+i  [a;]-  The  set  Bi+i  contains  exactly  one  element  for 
each  different  value  of  fi.  If  2l®'l  <  log^  m,  then  /,  is 
onto  with  limit  probability  1,  according  to  Lemma  6,  and 
hence  =  2l^'l.  Otherwise,  it  has  at  least  (logm)^ 

different  values.  □ 

Corollary  9  With  limit  probability  1 ,  |i?2|  >  (logm)^. 

Proof.  Since  m  <  (21'®°!)^^^“',  we  get  m  <  |Bi|!®*l,and 
hence  IB2I  log  |i?2|  >  m,  which  implies  the  claim  for  large 
enough m.  □ 
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Lemma  10  With  limit  probability  1,  B3  =  M. 

Proof.  Lct/2  :  M  — >  V{B2)  be  as  in  the  proof  of  Lemma  8. 
By  Corollary  9  and  Lemma  6,  /2  is  one-to-one  with  limit 
probability  1.  Hence  it  gets  \M\  different  values,  and  so 
jSsI  =  |A/|,thusB3  =  M.  □ 

Now  we  have  a  linear  order  <3  of  the  whole  of  M,  but 
it  is  defined  from  two  parameters.  At  this  point,  we  can 
eliminate  them  with  the  epsilon  operator. 

Lemma  11  Let  ^{x,  y,  2)  be  an  e-formula  and  a,  G  M  pa¬ 
rameters  such  that  ^{x,y,d)  defines  a  linear  ordering  in  9)L 
Then  there  is  a  formula  ^'{x,  y)  such  that  defines  a  linear 
ordering  in  without  parameters. 

Proof.  By  induction  on  the  number  of  parameters.  If 
there  are  no  parameters,  there  is  nothing  to  prove.  Let 
then  ^{x,  y,  20, ,  2*-)  be  a  formula  with  A-  -t-  1  parame¬ 
ters,  A  G  N.  Let  . . . ,  2*.)  be  the  formula  asserting  that 
^  defines  a  linear  ordering,  and  let  ^o(a^,  y,  21 , . . . ,  z*.)  be 
the  formula 

^(.T,  y,  £u{fi{u,  2i ,  .  .  .  ,  2^.)),  2i ,  .  .  .  ,  2*.). 

Now  ^0  defines  a  linear  ordering  with  k  parameters,  and 
therefore,  by  induction  hypothesis,  there  is  $o(.r,  y)  defining 
a  linear  ordering  in  dJl  without  parameters.  □ 

This  lemma  finishes  the  proof  of  Theorem  I. 

2  Standard  order  is  not  definable  in  c-logic 

In  this  section  we  sketch  a  proof  of  a  negative  answer 
to  the  first  question  from  [2].  We  arc  forced  to  start  prov¬ 
ing  everything  from  the  definition  of  the  £-logic  since  there 
arc  no  useful  characterizations  for  the  equivalence  in  the  e- 
logic.  In  fact,  it  seems  very  difficult  to  find  c.g.  a  useful 
Ehrenfeucht-Frai'ssc  style  characterization  for  equivalence 
in  the  e-logic.  Especially,  this  is  the  case  if  one  restricts  the 
equivalence  to  those  sentences  of  the  e-logic  which  arc  in¬ 
dependent  from  the  choice  of  the  choice  operation  (which 
is  the  most  interesting  fragment  of  the  e-logic). 

The  idea  in  the  proof  is  simple  (it  will  be  tricky  to  find 
the  right  inductive  hypotheses,  though):  We  define  two  suit¬ 
ably  different  linear  orderings  <  and  <*  on  a  set  .4.  Then 
we  define  a  choice  operation  E  on  .4  so  that  <  will  be  the 
standard  order  but  otherwise,  whenever  possible,  E  chooses 
<*-least  elements.  Then,  using  the  suitable  difference  be¬ 
tween  <  and  <*,  we  show  that  if  a  set  is  definable  in  (.4,  E) 
by  a  formula  of  the  e-logic,  then  it  is  essentially  definable  in 
(.4,  <*)  by  a  first-order  formula  of  roughly  the  same  quan¬ 
tifier  rank.  Then  we  finish  the  proof  by  ob.serving  that  next 
to  nothing  on  <  is  definable  in  (.4,  <*)  by  a  first-order  for¬ 
mula. 


Above,  in  the  phra.se  ’’essentially  definable”,  the  word 
’’essentially”  plays  an  important  role.  E.g.  the  second  ele¬ 
ment  in  the  canonical  order  is  definable  in  {A,  E)  by  a  for¬ 
mula  of  the  e-logic  but  it  will  not  be  definable  in  (A,  <*) 
by  any  first-order  formula  of  reasonable  quantifier  rank. 

In  order  to  make  the  number  of  ca.ses  in  the  proofs  small, 
we  assume  that  all  e-formulas  are  in  a  form  in  which  the 
quantifiers  3  and  V  do  not  appear.  This  is  possible  by  the 
following  observation. 

Fact  12  For  every  e-formula  (f){y)  there  is  an  e-formula 
ij;{y)  such  that  the  quantifiers  3  and  V  do  not  appear  in 
and  for  all  e-models  A  and  sequences  d  £  A, 

A  t=  (f>{d)  A 

By  the  quantifier  rank  qr{(p)  of  an  e-formula  we  mean 
the  number  of  appearances  of  e  in  0  (this  definition,  al¬ 
though  unusual,  will  turn  out  to  be  convenient).  We  say 
that  an  e-formula  0  is  c-free  if  qr{(f>)  =  0. 

Let  N  <  u!  (and  so  W  =  {n  <  a;|  n  <  N}).  By  An  = 
(.4,v,E)  we  mean  the  following  e-modcl:  An  =  N  x  N. 
By  .4^"  we  mean  the  set  of  those  {a,b)  e  An  such  that 
b  <  n.  By  <  we  mean  the  lexicographic  order  of  Aat,  i.e., 
{a,b)  <  (a',b’)  if  a  <  a'  or  a  =  a'  and  b  <  b'.  Notice 
that  the  pairs  (o.b)  £  An  may  be  considered  as  natural 
numbers  oN  -£  b,  in  which  case  <  is  the  usual  ordering  of 
the  natural  numbers.  The  ordering  <’  is  defined  as  follows: 
{a,  b)  <*  (a',  b')  if  b  <  b'  or  b  =  b'  and  a  <  a'.  Notice  that 
ifj-  e  .4^.''  and?/  £  .4a'-.4^",  then  .r  <*  y.  For  A"  C  An, 
we  define  £^(A')  as  follows:  If  for  some  n  <  N  —  1  and 
b  <  N,  X  =  {.r  €  An\  X  >  {a,b)},  then  E{X)  =  {a,b) 
and  otherwise  E{X)  is  the  <*-lea.st  member  of  A^  if  one 
exi.sis,  and  E{9)  =  (0,0)(=  £(.4/v)).  The  subsets  of  An 
of  the  form  {x  £  .4/v|  x  <  (n,6)},  «<  TV  -  1,  arc  called 
standard  (.so,  e.g.,  {x  £  N  x  N\  x  <  {N  -  1,0)}  is  not 
standard,  this  is  important).  Notice  that  <  is  the  standard 
order  of  An-  By  A*^,,  we  mean  the  structure  {An,  <*)■ 

By  a  <*-formula  we  mean  a  first-order  formula  in  the 
similarity  type  {<*}  and  the  quantifier  rank  for  such  a  for¬ 
mula  is  defined  in  the  usual  way.  For  d,b  £  An,  wc 
write  {A\,,d)  =„  (^^.,6)  if  a  and  b  satisfy  the  same  <*- 
formulas  up  to  quantifier  rank  n. 

We  will  show  that  <  is  not  definable  in  An  by  an  e- 
formula  of  quantifier  rank  <  n  assuming  that  TV  is  large 
enough,  say  N  >  2'’"“*^'’.  So  all  the  time  we  assume  that 
n  and  N  arc  such  that  TV  >  2'"+'’.  The  following  well- 
known  fact  is  the  reason  for  the  choice  of  TV  (wc  state  the 
fact  in  the  form  it  will  be  used): 

Fact  13  Let  n  <  uj  and  A  =  (.4,  <*)  be  a  linear  ordering. 

(i)  For  i  <  4,  let  di  be  a  sequence  of  elements  of  A,  for 
i  £  {0,2}.  let  n,  be  the  <* -largest  element  ofdi  and  for 
i  £  {1,3}.  let  Oj  be  the  <* -smallest  element  of  a,.  A.v- 
sume  that  oq  <*  a?.  02  <*  «:i.  both  intervals  there 
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are  at  least  2"  —  1  elements  or  the  same  number  of  ele¬ 
ments,  (.4,ao)  =n  (^,0-2)  and  {A,ai)  =„  (^,03).  Then 

{A,ao,ai)  =n  (.4, 02,53)- 

(ii)  Suppose  a,b  E  A  are  such  that  there  are  >  2"  —  1 
elements  which  are  <* -smaller  than  both  a  and  b  and  > 
2”  —  1  elements  which  are  <* -greater  than  both  a  and  b. 
Then  {A,  a)  =„  {A,  b). 

Definition  14  (1)  We  say  that  a  sequence  a  =  (qq,  ...,ap) 
of  elements  of  An  is  {k,m)-good  if  for  all  i  <  p,  Oi  € 
Implies  Oi  €  -4^*.  Then  we  write '(^l  ^for  {ai\ai  € 
A^^)  and  a\^  for  (aj|  Oj  €  An  —  We  say  that  a 

is  {k,  m,  W)-good  if  a  is  {k,  m)-good  and  a].  ^  =  (aj|  i  E 
W). 

(2)  Let  k,m,p  <  N.  We  say  that  {k,  m)-good sequences 
a  and  b  of  elements  of  An  are  {k,m,p)-equivalent  if  the 
following  holds: 

(a)  {AJ^,a)  =p  (A'^,b), 

(b)  for  all  i  <  lg{a),  if  Oi  E  A^  or  bi  E  A^^,  then 

Oi  —  bj. 

Instead  of  5^  ^  and  ^  we  write  usually  just  5®  and 
5\  k  and  m  are  always  clear  from  the  context. 

We  define  F  :  N  ^  N  so  that  F{0)  —  3  and  F{n  + 1)  = 
2F(n)  +  1  (i.e.  F(n)  =  2"+^  -  1). 

Proposition  15  For  all  k,n  <  u!  and  N  >  2^”+^,  ifd 
and  b  are  finite  sequences  of  An  and  they  are  {k,k  + 
F{n),2n)-equivalent,  then  {AN,£,d)  is  equivalent  in  e- 
logic  to  {An,  £,  b)  up  to  quantifier  rank  n. 

For  fixed  N  <  u,  wc  will  prove  the  proposition  by  in¬ 
duction  on  n  for  those  n  for  which  N  >  and  we  will 

do  this  in  a  series  of  lemmas.  However,  in  order  to  keep  the 
induction  going,  we  need  to  prove  more.  Let  us  repeat  that 
from  now  on  A'  is  fixed. 

To  avoid  notational  difficulties  we  will  give  the  following 
precise  definition  for  >1  \=  <p(a),  where  5  =  (ai)j<(9(o)  and 
(/>{y)  is  either  an  e-formula  or  a  <*-formula:  We  assume 
that  all  the  variables  in  the  formulas  are  from  the  set  {vi\i  < 
Lo}  and  A  |=  0(5)  holds  if  0  is  true  in  A  when  each  free 
variable  Uj  E  y  is  interpreted  as  a,.  In  addition,  we  assume 
that  y  always  denotes  a  sequence  of  the  form  (i’j)j<i. 

In  the  following  definitions  we  define  formulas  whose 
existence  will  be  proved  later. 

Definition  16  Let  (p{vi,fi)  be  an  e-formula  of  quantifier 
rank  r.  For  all  W  C  Igiff),  k,  n  >  r  and  finite  se¬ 
quences  c  of  elements  of  Ajj'  we  write  0^’’^  w{vi,y)  for 
a  <* -formida  such  that 

(1)  '4  of  quantifier  rank  <  2r, 

(2)  for  all  {k,k  F{n),W)-goodd  E  An,  ifcP  =  c, 
then 


Definition  17  (j){vi ,  y)  be  an  e-formula  of  quantifier  rank 
r.  For  all  W  C  lg{y),  k,  n  >  r,  A  C  and  finite 

sequences  c  of  elements  of  A^^  we  write  Of’:^'^{y)  for  a 
<* -formula  such  that 

^tnwiy'^  of  quantifier  rank  <  2r, 

(2)  for  all  {k,k  -\-  F{n),W)-goodd  E  An,  ifd^  =  c, 
then  An  N  ^t',n,wid)  iff4>{AN,d)  n 

The  following  definition  gives  our  induction  assumption 
i.e.  by  induction  on  r  we  will  show  that  every  e-formula 
of  quantifier  rank  <  r  is  essentially  equivalent  to  a  <*- 
formula. 

Definition  18  Let  (f>{vi,y)  be  an  e-formula  of  quantifier 
rank  r.  We  say  that  0  is  essentially  equivalent  to  a  <*- 
formula  if  for  all  k  and  n  >  r  such  that  N  >  max(A:  -t- 
F(n)  -t-  3,  and  for  all  W  C  lg{y),  A  C 

and  finite  sequences  c  of  elements  of  A^  the  following 
holds: 

(^)'^tn,wi'>^i^y)  exists, 

(3)  ifd  is  {k,  k  -f  F{n),W)-good,  C  C  An  is  standard 
and  either  <p{AN,a)  =  C  or  -^(j){AN,a)  =  C,  then  C  C 

A<k+F(n) 

If  only  (I)  and  (2)  hold,  then  we  say  that  4>{vi,y)  is  weakly 
essentially  equivalent  to  a  <* -formula. 

Notice  that  if  C  C  4*^"*^^*"*  is  standard,  then  C  C 
{(a,  6)  E  .4/v|  o  =  0,  6  <  /c  +  F(n)}  (assuming  N  > 
k  -I-  F(n)  -f  1). 

The  following  lemma  gives  the  means  to  handle  the 
problem  of  standard  sets.  Notice  that  the  empty  set  is  stan¬ 
dard. 

Lemma  19  Assume  that  (f>{vi,y)  is  an  e-formula  of  quanti¬ 
fier  rank  r. 

(i)  If  (j){vi,y)  is  weakly  essentially  equivalent  to  a  <*- 
formula,  then  (f){vi,y)  is  essentially  equivalent  to  a  <*- 
formula. 

(ii)  Assume  that  (j){vi,y)  is  essentially  equivalent  to  a 
<*-formula.  Let  n  >  r  and  k  be  such  that  N  >  max(fc  -f 
F(n)  -f  3,  2'^"+^).  Suppose  5  and  b  are  {k,  k  -f  F{n),W)- 
good,  {k,  k  ■+  F(n),  2r  +  l)-equivalent,  cf  =  l^  =  c  and 
(j){AN,d)  is  standard.  Then  (f>{AN ,d)  =  (p{AN,b). 

Proof,  (i):  Let  k,  n  >  r  and  W  C  lg{y)  be  as  in  Defini¬ 
tion  18  and  let  5  be  {k,  k  -f  F{n),W)-good.  By  Fact  13, 
for  all  b,c  E  4'^""'"’  -  {A*N,b,d)  =2. 

{A%,c,d).  So  by  Definition  18  (1), 

(*)  An  1=  4>{b,  d)  -H-  0(c,  5). 

But  by  the  definition  of  a  standard  set  C,  C  fl  - 

^  _4''+^(”)-i  and  if  C  n 
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=  0,  then  C  C 

With  (*),  this  implies  the  claim. 

(ii):  We  show  that  ^{An.I)  -  =  0,  the  rest 

is  easy.  Assume  not.  Let  d  witness  this.  Since  d  is  {k,  k  + 
F(n))-good  and  (-4;^,o)  =2r+i  {A*;^,b),  we  can  choose, 
b^Fact  13  (i),  d'  £  Aiy  —  so  that  a''(rf')  and 

b  {d)  arc  {k,k  +  F{n)  - 1, 2r)-equivalent.  But  then  [= 
a  contradiction.  □ 

We  skip  the  proof  of  the  following  lemma. 

Lemma  20  (i)  If  (j)  w  an  e-free  atomic  formula,  then  it  is 
essentially  equivalent  to  a  <* -formula. 

(ii)  If  e-formula  cp  is  essentially  equivalent  to  a  <*- 
formula,  then  so  is  -^tp. 

(Hi)  If  e -formulas  (p{vi,y)  and  (p'{vj,y)  are  essentially 
equivalent  to  a  <* -formula,  then  so  is  (p  A  tp'.  O 

Lemma  21  If  an  e-formula  (p{vi,vj,y),  y  =  (?/;), <,5,1^,. 
is  essentially  equivalent  to  a  <* -formula,  then  so  is  (p*  = 
{evi(p{vi,vj,y)  =  z),  where  z  =  vj  or  yi  for  some  I  < 

igiv)- 

Proof.  Without  loss  of  generality  we  may  assume  that  j  = 
hiV)  2ind  i  =  j  -y  1.  Let  0  be  of  quantifier  rank  p.  We 
assume  that  z  =  vj,  the  other  case  is  similar  (and  easier). 
Let /c,  n,  m,  IF,  c  and  A  C  be  as  in  Definition  18 

for  r  =  p  +  1.  Assume  that  d  and  b  are  (k.  k  +  F{n),  2r)- 
equivalcnt,  and  a°  =  6°  =  c.  If  c  £  is  such  that 

£Vi(p{vi,c,d)  =  c  holds  then  by  the  induction  assumption 
and  Lemma J^9,  also  £Vi<p(vi,c,b)  =  c  holds  (sequences 
d^(c)  and  b  (c)  are  always  either  {k,k  +  F(n  -  1),  IF  U 
{j})-goodor  (fc  +  1  +  F{n  -  l),/c  +  1  +  2F{n  -  1),  IF)- 
good).  With  this  one  can  see  that  Of.  ,l'^{f(y)  exists,  i.e.  (2) 
in  Definition  18  holds. 

For  item  ( 1 )  in  Definition  1 8,  we  notice  that  by  the  induc¬ 
tion  a.ssumption,  if  c  ^  d  is  {k,k  4-  ^(7;))- 

good  and  -^(p{Aisr,c,d)  is  standard  or  0(,4a',  r,  a)  is  empty, 
then  £Vi(p{vi  ,c,d)  /  c.  Then  one  can  check  that 

,;i-l 

^F(V4-i,vruL}(F’i'2,y)  ^  F  =  Vj)A 

Vwi(V4-i,H-u{j}(F,  1^2,27)  ->  h(v,  <*  Vj)Vj/(Vi,c)}) 

is  as  wanted,  where  rj{vi,c)  says  that  for  some  /  <  /p(c), 
there  arc  less  than  2~'^  —  1  elements  x  such  that  c;  <*  x  <* 
Vi  and  if  c  is  the  empty  sequence,  then  7]{vi)  says  that  there 
are  less  than  2-''  -  1  elements  <  v,.  □ 

The  following  lemma  can  be  proved  using  ideas  from  the 
proof  of  Lemma  2 1 . 


Lemma  22  If  e -formulas  (p{v,,Vj,y)  and  (p'{vi,Vj,y)  are 
essentially  equivalent  to  <* -formulas,  then  so  is  cp*  = 
{£v,(p{r.q,Vj,y)  =  ei},(p'(v,,vj,y)).  □ 

Proof  of  Proposition  15.  Follows  from  Lemmas  20,  21 
and  22.  □ 

Conclusion  23  The  standard  order  is  not  uniformly  defin¬ 
able  in  E-logic. 

Proof.  For  a  contradiction,  assume  that  the  standard  order  is 
definable  by  an  e-formula  of  quantifier  rank  n.  Let  N  <  uj 
be  such  that  N  >  2^""'''^.  Then  by  Fact  13,  it  is  easy  to  sec 
that  ({N  -  2,  -  3),  {N  -  3,  -  2))  is  (1, 1  +  F{n),  2n)- 

equivalcnt  to  ((A'  -  2,N  -  3),{N  -  2,N  -  2))  but  (N  - 
2,  N-3)>  (N  -3,N-2)  and  (N  -2,N-3)<{N- 
2,  N  -  2).  By  Proposition  15,  we  have  a  contradiction.  □ 

Conclusion  24  The  last  element  in  the  standard  order  is 
not  uniformly  definable  in  e-logic. 

Proof.  We  define  an  ordering  <+  to  An  as  follows:  x  <+ 
7/,  if  either  3:  <’  7/and.T  £  orx,y  £  An-A^'^~‘^ 

and  y  <*  x.  Also  a  new  choice  operation  E'^  is  defined. 
This  is  defined  exactly  as  E  using  <+  in  place  of  <*.  Then, 
as  above,  we  can  .sec  that  if  0,6  £  An  -  N  > 

2'''+'A  arc  such  that  (.4a-,<+,«)  =2,,  {AN,<'^,b),  then 
(.4a^F+,o)  is  equivalent  in  e-logic  to  {AN,E+,b)  up  to 
quantifier  rank  7i,  This  implies  the  claim  (the  last  clement  in 
the  .standard  order  is  the  <  +  -first  clement  of  .4a'  --4^''^“"). 
□ 
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Abstract 

We  introduce  a  second-order  system  Vi  -Horn  of  bounded 
arithmetic  formalizing  polynomial-time  reasoning,  based 
on  Gradel’s  [15]  second-order  Horn  characterization  off. 
Our  system  has  comprehension  over  P  predicates  (defined 
by  Gradel’s  second-order  Horn  formulas),  and  only  finitely 
many  function  symbols.  Other  systems  of  polynomial-time 
reasoning  either  allow  induction  on  NP  predicates  (such  as 
Buss’s  S2  or  the  second-order  V^^),  and  hence  are  more 
powerful  than  our  system  (assuming  the  polynomial  hier¬ 
archy  does  not  collapse),  or  use  Cobham 's  theorem  to  in¬ 
troduce  function  symbols  for  all  polynomial-time  functions 
(such  as  Cook’s  PV  and  Zambella’s  P-def).  We  prove  that 
our  system  is  equivalent  to  QPV  and Zambella ’s  P-def  Us¬ 
ing  our  techniques,  we  also  show  that  Vi  -Horn  is  finitely 
axiomatizable,  and,  as  a  corollary’,  that  the  class  of  VSi 
consequences  of  52  is  finitely  axiomatizable  as  well,  thus 
answering  an  open  question. 


1  Introduction 

1.1  Bounded  Arithmetic 

Here  Bounded  Arithmetic  loosely  refers  to  a  collection 
of  weak  formal  theories  of  arithmetic  connected  to  the  com¬ 
plexity  classes  P  (polynomial  time)  and  PH  (the  polynomial 
hierarchy)  (see  [3,  17,  20,  6,  2]).  Study  of  these  theories 
is  motivated  partly  by  the  fundamental  questions  in  com¬ 
plexity  theory:  Does  P  f  NP?  Does  PH  collapse?  An 
early  example  is  the  equational  theory  PV  (for  “Polynomi- 
ally  Verifiable”)  [8],  which  includes  function  symbols  for 
all  polynomial-time  functions,  defining  equations  for  them 
based  on  Cobham ’s  theorem,  and  a  proof  rule  implementing 
induction  on  binary  notation.  The  idea  is  that  an  equation  is 
provable  in  PV  iff  it  can  be  uniformly  verified  using  only 
polytime  concepts. 

*  An  expanded  version  of  this  paper  is  available  as  ECCC  report  number 
TROI-024  [7]. 


Later  Buss  [3]  introduced  a  hierarchy  of  first-order  theo¬ 
ries  (52 , 5| ,  51 . . .)  corresponding  to  the  levels  of  the  poly¬ 
nomial  hierarchy.  In  particular  5^  corresponds  to  poly¬ 
nomial  time,  in  the  sense  that  a  function  /  :  N  N 
is  polynomial-time  computable  iff  there  is  a  so-called  Sj 
formula  A(^x,y)  defining  the  graph  of  /  such  that  5^  h 
\/x3yA{x,y).  Here  Ej  formulas  are  certain  bounded  for¬ 
mulas  which  semantically  represent  precisely  the  NP  predi¬ 
cates.  52  includes  FIND  (induction  on  notation)  axioms  for 
all  Ej  formulas. 

We  define  QPV  (quantified  PV)  to  be  the  first-order 
theory  with  the  same  language  as  the  equational  theory  PV, 
and  whose  axioms  are  the  theorems  of  PV.  Buss  [3]  proves 
that  every  VEj  theorem  of  5^  is  a  theorem  of  QPV.  How¬ 
ever  [2 1  ]  proves  that  the  induction  axioms  for  5]  (which  are 
not  VEj  formulas)  are  not  all  theorems  of  QPV,  unless  PH 
collapses.  (Complexity  theorists  generally  assume  that  PH 
does  not  collapse.)  The  theory  ki-Horn  that  we  introduce 
in  this  paper  turns  out  to  be  equivalent  of  QPV  (rather  than 
5] ),  as  explained  below. 

An  important  open  question  is  whether  the  union  theory 
S2  of  Buss’s  hierarchy  (51)  of  theories  is  finitely  axiomati¬ 
zable.  As  shown  in  [21,  5,  31],  this  happens  iff  S-2  proves 
that  PH  collapses.  Since  each  of  the  theories  5)  is  finitely 
axiomatizable,  it  is  immediate  that  S2  is  finitely  axiomati¬ 
zable  iff  the  hierarchy  (5^)  collapses.  Thus  the  hierarchy 
(5.2)  collapses  iff  S2  proves  that  PH  collapses. 

The  theory  5]  is  finitely  axiomatizable  because  it  has  a 
finite  language,  and  its  infinite  induction  scheme  for  Ej  for¬ 
mulas  follows  from  finitely  many  induction  axioms,  includ¬ 
ing  one  for  a  formula  representing  an  NP-complete  predi¬ 
cate.  It  does  not  make  sense  to  ask  whether  QPV  is  finitely 
axiomatizable,  because  it  has  infinitely  many  function  sym¬ 
bols.  However  [3]  shows  that  PV  is  equivalent  to  the  Ej 
consequences  of  53,  so  it  makes  sense  to  ask  whether  the 
latter  are  finitely  axiomatizable.  We  answer  this  affirma¬ 
tively  in  this  paper  by  showing  that  our  theory  kj-Horn  is 
finitely  axiomatizable  (essentially  by  Ej  formulas)  and  is 
equivalent  to  QPV. 

Buss  [3]  introduced  two  hierarchies  of  so-called  second- 
order  theories,  including  a  theory  for  polynomial  space  and 
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one  for  exponential  time.  (All  “second-order”  theories  that 
we  discuss  arc  actually  two-sorted  first-order  theories;  with 
one  sort  for  numbers  and  the  other  for  finite  bit  strings.) 
Razborov  [26]  argues  at  length  that  a  related  second-order 
theory  called  can  nicely  formalize  existing  lower  bound 
proofs  on  the  complexity  of  explicitly  given  Boolean  func¬ 
tions,  and  points  out  that  by  the  “RSUV  isomorphism” 
[25,  29],  V'/  is  equivalent  to  the  first-order  theory  5.]  and 
hence  captures  polynomial-time  reasoning. 

Zambclla  [31]  introduced  an  elegant  presentation  for 
second-order  theories  such  as  ^nd  we  use  this  style 
here  to  present  our  theory  Vi-Horn.  One  of  Zambella’s 
second-order  theories,  P-dcf,  has  function  symbols  for  all 
polynomial-time  functions,  and  can  be  shown  to  be  equiv¬ 
alent  to  the  first-order  theory  QPV  by  the  RSUV  isomor¬ 
phism.  We  show  that  Ui-Horn  is  equivalent  to  P-def,  in  the 
sense  that  every  theorem  of  V'l-Horn  is  a  theorem  of  P-dcf, 
and  every  theorem  of  P-dcf  can  be  translated  into  a  theorem 
of  Ui-Horn  by  replacing  function  symbols  by  their  defini¬ 
tions  in  Vj-Horn. 

1.2  Descriptive  Complexity 

The  first  connection  between  finite  model  theory  and 
complexity  theory  goes  back  to  Fagin’s  1974  result  [13] 
showing  that  a  language  is  in  NP  iff  it  corresponds  to  the 
set  of  finite  models  of  an  existential  second-order  formula. 
Later  Stockmeycr  [28]  extended  this  result,  characterizing 
the  polynomial  hierarchy  as  the  class  of  sets  of  finite  mod¬ 
els  of  all  second-order  formulas. 

Finding  an  elegant  descriptive-style  characterization  of 
P  proved  more  illusive.  One  such  characterization  of  P 
uses  the  first-order  logic  augmented  with  the  successor  re¬ 
lation  and  the  least  fixed-point  operator  [30,  18].  Later 
Leivant  [22,  23]  found  a  second-order  characterization  of 
P  using  the  notion  of  “controlled  computational  formula”, 
which  is  related  to  Horn  formula.  (The  motivation  for 
using  Horn  formulas  comes  from  the  existence  of  a  sim¬ 
ple  polynomial-time  algorithm  for  solving  the  satisfiability 
problem  for  propositional  Horn  formulas.)  Finally  Griidel 
[14,  15]  found  an  elegant  descriptive  characterization  of  P 
using  503-Horn  (second-order  existential  Horn)  formulas 
with  successor. 

1.3  Outline 

In  Section  2  we  give  the  syntax  and  intended  seman¬ 
tics  of  second-order  formulas  and  show  that  certain  syn¬ 
tactic  classes  of  formulas  represent  the  relations  in  cer¬ 
tain  corresponding  complexity  classes.  In  particular,  the 
Ef -Horn  (second-order  existential  Horn)  formulas  repre¬ 
sent  the  polynomial-time  predicates  (by  Griidel’s  theorem). 
We  define  various  second-order  theories  in  Section  3,  in¬ 


cluding  our  theory  Ui-Horn  and  the  theory  U”  correspond¬ 
ing  to  the  complexity  class  AC°.  The  theory  Ui-Horn  uses 
a  comprehension  axiom  scheme  for  the  Ef-Horn  formu¬ 
las.  In  Section  4  we  show  that  Vi-Horn  proves  the  equiva¬ 
lence  of  each  formula  in  several  broad  syntaetic  classes  to 
a  Ef-Horn  formula.  Section  5  contains  the  description  of 
the  main  tool  needed  for  later  sections,  namely  representing 
the  Horn  satisfiability  algorithm  in  Vi-Horn  by  a  Ef-Horn 
formula  and  proving  its  correctness  in  V-Horn.  In  Sec¬ 
tion  6  we  construct  a  conservative  extension  Vi  -Horn(FP)  of 
V'i-Horn  by  introducing  function  symbols  for  polynomial- 
time  functions,  and  show  the  equivalence  of  this  and  Zam- 
bclla’s  P-def]31].  Finally,  in  Section  7  we  demonstrate 
that  both  V®  and  V'i-Horn  are  finitely  axiomatizable,  and 
show  that  this  implies  that  the  VEj  con.scquences  of  5]  are 
finitely  axiomatizable. 

2  Second-order  formulas  and  complexity 
classes 

The  prototype  for  the  underlying  language  of  V-Horn 
is  the  language  of  second-order  bounded  arithmetic  intro¬ 
duced  by  Buss  [3].  However  our  language  is  closer  to  the 
nicer  second-order  language  introduced  by  Zambclla  [31], 
in  that  we  eliminate  the  superscript  terms  t  tagging  second- 
order  variables  A”'  and  instead  introduce  a  bounding  func¬ 
tion  |A'|. 

Our  language  £’;(  has  two  sorts,  called  fir.st-ordcr  and 
second-order.  (The  intention  is  that  first-order  objects  arc 
natural  numbers  and  second-order  objects  arc  finite  sets  of 
natural  numbers,  or  finite  binary  strings.)  First-order  vari¬ 
ables  arc  denoted  by  lower  case  letters  a,b,i,j,...,x,y,z, 
and  second-order  variables  arc  denoted  by  upper-case  let¬ 
ters  P,  Q, ....  A',  Y,  Z. 

The  first-order  function  and  predicate  symbols  of 
arc  the  standard  symbols  {0, 1,  -f,  ■;  <,  =}  of  Pcano  Arith¬ 
metic.  To  these  we  add  the  unary  length  function  symbol 
I  |,  which  takes  second-order  objects  to  first-order  objects, 
and  the  binary  membership  predicate  symbol  e. 

For  every  .second-order  variable  A^  we  form  a  first-order 
term  |A'|  called  a  length  term.  The  first-order  terms  of 
arc  built  from  0,  1,  first-order  variables,  and  length  terms 
using  the  function  symbols  -i-  and  •.  The  only  second-order 
terms  are  second-order  variables. 

The  atomic  formulas  of  have  one  of  the  forms  .s  = 
t,  ,s  <  f,  <  G  A',  where  ,s  and  t  arc  first-order  terms  and  A'  is 
a  second-order  variable.  We  usually  write  X{t)  instead  of 
t  G  A".  Formulas  arc  built  from  atomic  formulas  using  the 
propositional  connectives  A,  V,  -i,  the  first-order  quantifiers 
V.r,  3.7'  and  the  second-order  quantifiers  VA',  3A". 

We  u.sc  the  usual  abbreviations  s  t  for  -i.s  =  t  and 
s  <  t  for  s  <  t  As  ^  t.  Bounded  first-order  quantifiers  get 
their  usual  meaning:  V.;:  <  tep  stands  for  V.r(:r  <  t  ^  (j>) 
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and  3a;  <  stands  for  3x (a;  <  We  also  use  bounded 
second  order  quantifiers:  VX  <  t(j)  stands  for  VX(|X|  < 
f  ->  </))  and  BX”  <  tcf)  stands  for  3X''(|X|  <  f  A  (^). 

In  the  standard  model  for  first-order  variables  range 
over  N,  and  second-order  variables  range  over  finite  subsets 
of  R  If  X  is  the  empty  set,  then  |X|  is  interpreted  as  0, 
otherwise  |X|  is  interpreted  as  one  more  than  the  largest 
element  of  the  finite  set  X.  The  symbols  0,1,+  •,  e  get  there 
usual  interpretations. 

In  complexity  theory  a  member  of  a  language  is  often 
taken  to  be  a  binary  string,  but  from  our  “second-order” 
point  of  view  we  take  it  to  be  a  finite  subset  X  of  N.  To 
relate  this  to  the  string  point  of  view  we  code  a  finite  set 
X  by  the  binary  string  X',  where  X'  is  the  empty  string  if 
X  is  the  empty  set,  and  otherwise  X'  is  the  binary  string 
xqXi,  a;„_i  of  length  n  =  jX"!  such  that  Xi  =  1  i  6 
X,  0  <  i  <  n  —  1.  (Thus  all  nonempty  string  codes  end  in 
1.)  If  L  is  a  set  of  finite  subsets  of  N,  then  the  correspond¬ 
ing  set  of  strings  is  L'  =  {X"'  |  X  G  L}.  If  C  is  a  standard 
complexity  class  such  as  AC°,  P  or  NP,  then  our  second-order 
reinterpretation  of  C  is  {i  |  L'  G  C}.  Since  the  complexity 
classes  considered  here  are  robust,  this  reinterpretation  will 
come  out  the  same  for  any  reasonable  string  coding  method. 

The  role  of  first-order  objects  in  our  theories  is  that  of 
members  of  second-order  objects,  or  equivalently  as  po¬ 
sition  indices  for  binary  strings.  Thus  in  determining  the 
complexity  of  a  set  of  natural  numbers  we  code  a  natural 
number  i  using  unary  notation;  that  is  as  a  string  i'  of  1  ’s  of 
length  i. 

Definition  2.1.  If  <p{z,  Y)  is  a  formula  of  C-^  whose 
free  variables  are  among  then  4>  rep¬ 

resents  a  k  +  f-ary  relation  as  follows.  If 
are  natural  numbers  and  are  finite  sets  of  nat¬ 

ural  numbers,  then  {ai,  ...,ak ,  Bi, B()  satisfies  iff 
4>(ai, ...,  ak,Bi, B{)  is  true  in  the  standard  model. 

If  C  is  a  complexity  class,  then  we  make  sense  of  the 
statement  is  in  C”  using  the  string  encodings  described 
above.  In  particular,  a  relation  R{xi,  ...,Xk,Yi,  ...,Y^)  is 
in  P  iff  it  is  recognizable  in  time  bounded  by  a  polynomial 
in(a;i,...,a;^,|Ii|,...,  j) . 

We  now  define  the  classes  Ef  and  Ilf  of  bounded 
second-order  formulas.  (A  formula  is  bounded  if  all  its 
quantifiers  are  bounded.)  Yf  and  11^  both  denote  the  class 
of  bounded  formulas  with  no  second-order  quantifiers.  We 
define  inductively  as  the  least  class  of  formulas  con¬ 
taining  nf  and  closed  under  disjunction,  conjunction,  and 
bounded  existential  second-order  quantification  .  The  class 
n|^j  is  defined  dually. 

The  classes  Sf  and  Ef  are  the  formulas  in  our  (Zam- 
bella’s)  simplified  language  which  correspond  to  the 
classes  and  EJ’**  in  Buss’s  prototype  second-order 
language  [3,  20].  They  are  the  second-order  analogs  of 


the  first-order  formula  classes  E*  and  E*,  where  sharply- 
bounded  quantifiers  correspond  to  our  bounded  first-order 
quantifiers. 

The  formulas  Ef  represent  precisely  the  NP  relations, 
and  more  generally  for  i  >  1  the  Ef  formulas  represent 
the  E?  relations  in  the  polynomial  hierarchy  and  Ef  rep¬ 
resent  the  Ef  relations  [3,  20].  The  formulas  Ef  represent 
precisely  the  uniform  AC°  relations,  which  are  the  same  as 
the  class  FO  (First  Order)  of  descriptive  complexity  [1]  (see 
Chapter  1  of  [19]). 

We  now  define  the  formulas  corresponding  to  polyno¬ 
mial  time.  Recall  that  a  CNF  (conjunctive  normal  form) 
formula  is  a  conjunction  of  clauses  of  the  form  {Li  V  ...  V 
Lm),m  >  1  where  each  Li  is  a  literal',  that  is  an  atomic 
formula  or  a  negated  atomic  formula. 

Definition  2.2.  A  formula  (p  of  is  Horn  with  respect  to 
the  second-order  variables  Pi,...,  Pk  if  0  is  quantifier-free 
in  CNF  and  in  every  clause  there  is  at  most  one  positive 
literal  of  the  form  Pi{t)  (called  the  head  of  the  clause)  and 
no  terms  of  the  form  \Pi\.  (We  do  allow  length  terms  |X| 
and  any  number  of  positive  literals  X{t),  where  X  is  not 
among  {Pi,  ...,P;.}.)  A  formula  is  Ef-Horn  if  it  has  the 
form 

3Pi...3Pi,Va;i  <  fi...Vxm  <  tmp  (1) 

where  k,m  >  0  and  <p  is  Horn  with  respect  to  Pi,  ...,P*, 
and  the  bounding  terms  ti  do  not  involve  xi,...,Xm..  More 
generally  a  formula  is  Y^-Horn  if  it  has  the  above  form 
except  that  each  second-order  quantifier  can  be  either  3  or 
V.  A  formula  is  Ej  Horn  with  respect  to  Pi,...,Pk  if  it  has 
the  form  (1)  with  the  existential  quantifiers  omitted. 

Notice  that  our  definition  of  Ef-Horn  is  somewhat  dif¬ 
ferent  from  Gradel’s  original  definition  of  second-order  ex¬ 
istential  Horn  formula,  as  explained  before  Theorem  2.3. 
Also  note  that  the  second-order  quantifiers  in  Sf -Horn  and 
E^-Horn  formulas  are  not  bounded.  However,  since  no  oc¬ 
currence  of  |Pi|  is  allowed,  each  such  formula  is  equivalent 
in  the  standard  model  to  one  in  which  every  quantifier  3Pi 
or  VPi  is  bounded  by  a  term  t  which  is  an  upper  bound 
on  all  terms  u  such  that  P,:(u)  occurs  in  the  formula.  On 
the  other  hand,  if  occurrences  of  |Pi|  were  allowed,  then  an 
unbounded  quantifier  3Pj  can  code  an  unbounded  number 
quantifier  3|Pi|  and  hence  undecidable  relations  would  be 
representable. 

It  is  often  convenient  to  treat  second-order  objects 
as  multi-dimensional  arrays,  instead  of  one-dimensional 
strings  or  sets.  An  easy  way  to  do  so  is  to  use  a  pairing 
function  <•,■>,  defined  by 

<x,y>={xYy){x  +  y  +  l)  +  2y  (2) 

This  function  is  a  one-one  map  from  N  x  N  into  N,  and  it  is 
represented  by  a  term  in  our  language.  It  is  easily  general- 
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ized  to  fc-tuples  by  defining  (ii , xj.)  by  the  recursion 

(x)  =  X,  (xi,...,xa.+  i)  =  ((■Tl,--,XA.),Xt.  +  i)  (3) 

Thus,  any  finite  set  P  can  be  treated  as  a  set  of  fc-tuples  of 
variables;  P(xi , xa  )  is  defined  to  be  P{<  X] , ....  xa-  >). 

The  theorem  below  is  similar  to  part  of  Gradel’s  Theo¬ 
rem  5.2  [14]  (sec  also  Chapter  7  of  [27]),  which  is  stated 
in  the  context  of  descriptive  complexity  theory.  There  are 
technical  differences:  Gradcl’s  language  is  more  general  in 
that  it  allows  predicate  symbols  of  arbitrary  arity,  but  these 
can  be  simulated  by  the  pairing  function  as  just  explained. 
On  the  other  hand  our  language  is  more  general  in  that  it 
allows  interpreted  function  symbols  -i-  and  •  and  terms  |Pi|, 
as  well  as  universally  quantified  number  variables  whose 
range  goes  up  to  any  polynomial  in  the  size  of  the  inputs. 
However  none  of  these  generalizations  takes  us  outside  the 
polynomial-time  relations. 

Theorem  2.3.  A  relation  R{zi, Zf,-,  is  in  P 

ijf  it  is  representable  by  a  'Zf  -Horn  fornuila  'D.  Further 
can  he  chosen  with  only  one  existentially  cpiantified second- 
order  variable,  and  only  two  universally  quantified  first- 
order  variables. 

Example.  (Parity(A''))  This  is  a  Ef -Horn  formula  which 
is  true  for  strings  A"  that  contain  an  odd  number  of  I’s.  It 
encodes  a  dynamic-programming  algorithm  for  computing 
parity  of  A':  Porfrf(0  's  true  (and  Pevenii)  is  false)  iff  the 
prefix  of  A'  of  length  i  contains  an  odd  number  of  1  ’s. 

3P,„.n3Parldyi  <  |A| 

P...n(0)A-Porfrf(0)AP,rfrf(|A|) 

A{-^Peven{i  +  1)  V  ^Podd{i  +  1)) 

A(Peffn(*)  A  X{i)  — >  Podd{i  +  1)) 

A{Podd{t)  A  A  (*)  >  Pci'cnid  -f-  1)) 
A(Pei,'cn(0  ^  P evenit  +  1)) 

A(Po(/rf(i)  A  -lA'ji)  -A  Podd{i  +  1)) 

Proof  of  theorem  (outline).  For  the  if  direction,  let  'I'jf,  P) 
be  a  Sf-Horn  formula  which  represents  R{z,Y).  Then  (P 
has  the  form 

3Pi...3P,Vx,  <  P...V.X,  <  ts<l>{x,P,z,Y)  (4) 

where  f  is  Horn  with  respect  to  P\,...,P,..  We  outline  a 
polynomial-time  algorithm  which,  given  numbers  fii , ....  oa- 
(coded  in  unary)  and  finite  sets  Pi,...,P,„  (coded  by  bi¬ 
nary  strings)  determines  whether  (DjdjP)  is  true  in  the 
standard  model.  First  note  since  d  and  B  arc  given, 
each  first-order  term  u  in  P.  d,  B)  becomes  a  poly¬ 
nomial  ?t(xi,  ...,xa  ).  Each  Pi  can  occur  only  in  the  con¬ 
text  Pi{u{x))  for  some  such  term  u,  and  the  terms  G , ....  tg 


bounding  the  x,’s  evaluate  to  constants.  The  algorithm 
proceeds  by  computing  for  each  possible  .x-valuc  h  = 
{bi,  ...,bs),0  <  bi  <  t,,  a  simplified  form  fib]  of  the  in¬ 
stance  (f)(b,  P,  d,  B)  of  0.  In  this  form  all  first-order  terms 
and  all  atomic  formulas  not  involving  the  P,  ’s  arc  evaluated, 
and  the  result  is  a  Horn  formula  0[&]  all  of  whose  atoms 
arc  in  the  list  p(0), ...,  P/jP),  z  =  1, ...,  r,  where  T  is  the 
largest  possible  argument  of  any  P;  in  any  instance.  By  tak¬ 
ing  the  conjunction  over  all  b  of  these  instances,  we  obtain 
a  propositional  Horn  formula  PROP[0,d,  Pj.  This  formula 
is  tested  for  satisfiability  using  a  standard  algorithm. 

The  proof  of  the  only-if  direction  resembles  the  proof 
of  Cook’s  theorem  that  SAT  is  NP-complctc,  and  of  Fagin’s 
theorem  of  finite  model  theory  that  .second-order  existential 
formulas  capture  NP.  The  idea  is  to  represent  the  computa¬ 
tion  of  a  Turing  machine  M  by  a  two  dimensional  array  P, 
where  the  f-th  row  represents  the  tape  configuration  of  M 
(including  state  and  scanned-symbol  information)  at  time 
i.  The  two  existential  second-order  quantifiers  arc  3P3P, 
where  P  is  intended  to  be  -^P.  The  two  universally  quanti¬ 
fied  variables  .tj  ,  xo  represent  the  co-ordinates  of  P.  A  cru¬ 
cial  observation  is  that  if  3/  is  deterministic,  then  the  condi¬ 
tions  on  P  and  P  can  be  expressed  with  Horn  clauses.  □ 

Note  that  above  proof  also  shows  that  every  NP-  relation 
can  be  represented  by  a  formula  of  the  form  (4),  except 
that  0  is  not  Horn, 

Example.  (3C()L()R(//,  P))  This  is  a  Ef  formula  asserting 
that  the  graph  with  edge  relation  E  on  nodes  {0, 1, ...,  tt- 1} 
is  three-colorable.  We  write  E{x,y)  like  a  binary  relation, 
although  it  can  be  coded  as  a  unary  relation  using  the  pairing 
function  as  explained  above.  The  three  colors  arc  P,  (f  and 
R. 

3P3Q3PVX  <  nYy  <  ti{P{x)  V  Q(x)  V  P(x)) 
Aj-ipjx.y)  V  “'P(.x)  V  ^P{y)) 

A(^P(x,  y)  V  -^Q(x)  V  -'Qiy)) 

A(-'P(.r,?/)  V  “'P(x)  V  ^R{y)) 

This  formula  is  Af-Horn  except  for  the  first  clause.  Since 
graph  3-colorability  is  NP-complctc,  it  cannot  be  repre¬ 
sented  by  a  Ef -Horn  formula  unless  P=  NP.  This  example 
illustrates  why  we  cannot  allow  bounded  first-order  exis¬ 
tential  quantifiers  after  the  universal  quantifiers  in  Ef-Horn 
formulas,  since  the  first  clause  could  be  replaced  by  3*  < 
3P(/',  x)  where  now  P(0,  x),  P(l,  x),  P(2,  x)  represent  the 
three  colors. 

3  j  j  -Horn  and  other  second-order  theories 

Our  second-order  theories  use  the  language  de¬ 
scribed  in  the  previous  section.  They  all  share  the  set  2- 
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Robinson’s  theory  Q  axioms 
Bl:a;+l7^0  B2:  a;  +  1  =  t/ +  1  — >■  a:  =  j/ 

B3:  X  +  0  =  X  B4:  x  +  (y  +  1)  =  (a:  +  y)  +  1 

B5:  X  •  0  =  0  B6:x  •  (y  +  1)  =  (x  •  y)  +  x 

Axioms  for  < 

B7;  0  <  X  B9:  x  <  y  Ay  <  z  ^  x  <  z 

B8  ;  X  <  X  +  y  BIO  :  (x<yAy<x)-^x  =  y 
Bll:x<yVy<x  B12  ;  x  <  y  x  <  y  +  1 
Predecessor  axiom 
B13  :  X  7^  0  — >■  3y(y  +  1  =  x) 

Length  axioms 
LI  :X(y)^y  <  |X| 

L2:y+l  =  |X|^X(y) _ 


Table  1.  The  2-BASIC  Axioms 

BASIC  of  axioms  in  Table  1,  which  are  similar  to  the  ax¬ 
ioms  for  Zambella’s  theory  0  [31]  and  form  the  second- 
order  analog  of  Buss’s  first-order  axioms  BASIC  [3].  The 
set  2-BASIC  consists  essentially  of  the  axioms  for  Robin¬ 
son’s  system  Q,  together  with  axioms  for  <,  and  two  ax¬ 
ioms  defining  the  length  terms  l-YI. 

The  underlying  logic  for  our  theories  is  that  of  two- 
sorted  first-order  predicate  calculus.  Any  standard  proof 
system  for  predicate  calculus,  such  as  Gentzen’s  system 
LK,  can  be  adapted  to  a  two-sorted  system  simply  by  rein¬ 
terpreting  the  notion  of formula  to  be  that  defined  in  Section 
2. 

In  addition  to  2-BASIC,  each  system  needs  a  compre¬ 
hension  scheme  for  some  set  FORM  of  formulas. 

FORM  -  COMP  :  3X  <  y\/z  <  y{X{z)  o  $(^))  (5) 

Here,  $  is  any  formula  in  the  set  FORM  with  no  free  oc¬ 
currence  of  X. 

We  denote  by  C*  the  theory  axiomatized  by  2-BASIC 
and  Sf -COMP.  For  r  >  0  is  essentially  the  same  as 
Zambella’s  Ef  —  comp  [31].  For  i  >  1  C*  is  essentially 
the  same  as  [20].  (The  latter  restricts  comprehension  to 
EJ’^  formulas,  but  allows  induction  on  E^**  formulas.  How¬ 
ever  Theorem  1  of  Buss  [4]  shows  that  V]®  proves  the  E-’** 
comprehension  axioms.)  Thus  for  i  >  1  C®  is  a  second- 
order  version  of  Sf  In  particular,  the  Ef -definable  func¬ 
tions  in  are  precisely  the  polynomial-time  functions  [9]. 
The  Ef -definable  functions  in  are  the  uniform  AC°  func¬ 
tions  [9]  (called  rudimentary  functions  in  [31]).  The  first- 
order  analog  of  V°  is  S'®  with  a  comprehension  scheme  for 
sharply-bounded  formulas. 

Definition  3.1.  Vi-Horn  is  the  theory  axiomatized  by  2- 
BASIC  and  Ef -Horn-COMP. 

Although  2-BASIC  does  not  include  an  explicit  induc¬ 
tion  axiom,  L2  asserts  that  a  nonempty  set  has  a  largest  ele¬ 


ment.  This  can  be  turned  into  a  least  number  principle,  from 
which  induction  follows. 

Lemma  3.2.  The  least  number  principle  is  a  theorem  of 
Vi-Horn,  andofVfi  >  0. 

LNP:  0  <  |X|  3x  <  |X|(A'(x)  A  Vy  <  x-.X(y)) 

Proof  By  the  comprehension  schema  there  is  a  set  Y  such 
that  |F|  <  |X|  and  for  all  2:  <  iX] 

Y{z)^'ii<  \X\{X{i)  z  <i) 

Thus  the  set  Y  consists  of  those  elements  smaller  than  every 
element  in  X.  We  claim  that  |y|  satisfies  the  LNP  for  X; 
that  is  (i)  |y|  <  |X|,  (ii)  X(|y|)  and  (iii)  Vy  <  |yhX(y). 
First  suppose  that  Y  is  empty.  Then  |F|  =  0  by  B 13  and 
L2.  By  assumption  0  <  |X|,  so  (i)  holds  in  this  case.  Also 
X(0),  since  otherwise  Y (0)  by  B7  and  the  definition  of  F, 
so  (ii)  holds.  Since  -ly  <  0  by  B7  and  BIO  we  conclude 
(iii)  holds  vacuously. 

Now  suppose  F(y)  for  some  y.  Then  y  <  \Y\  by  LI,  so 
|y|  74  0  so  by  B13  |F|  =  z  -I- 1  for  some  z  and  hence  Y (z) 
by  L2.  Then  -'y(z  -t-  1)  by  LI.  Thus  X{z  -f  1)  by  Bll, 
B12  and  the  definition  of  Y ,  so  (ii)  holds.  Also  -iA''(2), 
so  (i)  holds.  Finally  (iii)  holds  by  the  definition  of  Y  and 
BIO.  □ 

Lemma  3.3.  Induction  on  length  of  a  string  is  a  theorem  of 
Vi-Horn,  and  ofV\>  0. 

IND:  (X(0)  A  Vy  <  z(X(y)  ^  X{y  +  1)))  -4  X{z) 

The  proof  of  induction  is  a  formalization  of  the  standard 
proof  LNP— >  IND.  It  can  be  generalized  to  allow  induction 
with  an  arbitrary  k  asa  basis,  not  just  k  =  0. 

If  follows  from  the  above  Lemma  that  each  of  the  theo¬ 
ries  that  we  have  presented  proves  an  induction  axiom  for 
each  formula  in  its  comprehension  scheme.  In  particular, 
for  Vj-Horn  we  have 

Corollary  3.4.  Vi  -Horn  proves  the  Yf  -Horn  Induction  ax¬ 
ioms. 

(#(0)  A  Vy  <  z($(y)  ->  $(y  +  1)))  $(z) 

where  $  is  any  Yf  -Horn  formula. 

Standard  arguments  show  that  induction  on  open  formu¬ 
las  using  axioms  B1  to  B 13  is  enough  to  prove  simple  alge¬ 
braic  properties  of  +  and  ■  such  as  commutativity,  associa¬ 
tivity,  distributive  laws,  and  cancellation  laws  involving  +, 
•,  and  <.  Hence  all  of  our  theories  prove  these  properties, 
and  in  the  sequel  we  take  them  for  granted.  These  simple 
properties  suffice  to  prove  that  the  tupling  function  defined 
in  (2)  and  (3)  is  one-one,  so  these  theories  all  prove 

(xi,.-,X/fc)  =  {x\,...,x'ffi  -7  (xi  =  xj  A  ...  Ax*  =  xj.) 
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Notation.  We  use  Pt^’l  to  denote  the  “6-th  row”  when  P  is 
being  used  as  a  2-dimcnsional  array.  If  0(P)  is  a  formula 
with  no  occurrence  of  |P|,  then  (/;(Pt^l)  is  obtained  from 
(l>{P)  by  replacing  every  atomic  formula  P{t)  by  P{b,t) 
(i.e.  P{{b,  t)):  see  (2)). 

Other  useful  properties  provable  in  Vi -Horn  include  a  k- 
ary  comprehension  and  replacement. 

Lemma  3.5  {k-ary  Comprehension).  If  ^{xi,  is 

a  Tif -Horn  formula  with  no  free  occurrence  ofY,  then 
Vi-Horn  proves  the  k-ary  comprehension  formula 

3Y  <{bi,...,bk)'ixi  <  bi...fxk  <  bk  (6) 

{Y{xu---,Xk)  O  $(xi,...,a;t.)), 

Lemma  3.6  (Replacement).  Iff{y,P)  is  a  Ilj  Horn  for¬ 
mula  with  respect  to  P  and  t  is  a  term  not  involving  y,  then 
Vi -Horn  proves 

'iy  <  i3Pf{y,P)  ^  3P\Iy  <  f<^(2/, pt^'I) 

where  Pl^l  is  P|'^^, ...,  Further  the  RHS  is  a  Yf-Horn 
formula. 

The  replacement  scheme  is  a  corollary  of  the  following 
lemma: 

Lemma  3.7.  IfV\-Horn  proves  that  3PV^  <  b^{y,P)  is 
equivalent  to  .some  T,{^-Horn  then  \\-Horn  proves 

Vy  <  63P$(y,P)  3PVy  <  b^fj,  P’'-'^). 

4  Formulas  provabiy  equivalent  to  Ef-Horn 

Our  goal  now  is  to  show  that  every  Hq  formula  and  every 
Ef-Horn  formula,  2  €  N,  is  provabiy  equivalent  in  Vi -Horn 
to  a  Ef -Horn  formula,  and  hence  can  be  used  in  the  com¬ 
prehension  and  induction  schemes.  Later,  we  also  show  that 
the  class  of  formulas  provabiy  equivalent  to  Ef-Horn  is 
closed  under  -i,  A,  V  and  bounded  first-order  quantification 
(sec  5.3).  We  start  with  a  simple  observation. 

Lemma  4.1.  If^i  and  are  -Horn  formulas,  then 
A  $2  logically  equivalent  to  a  -Horn  formula. 

Proof.  Take  a  suitable  prenex  form  of  $1  A  4>2.  □ 

4.1  Simulating  first-order  bounded  existential 
quantification 

A  major  inconvenience  of  Ef-Horn  formulas  is  lack  of 
first-order  existential  quantifiers.  In  general  we  cannot  al¬ 
low  such  quantifiers  without  increasing  the  apparent  ex¬ 
pressive  power  of  the  formulas,  as  pointed  out  in  the  3- 
colorability  example.  However,  it  is  possible  to  introduce 
bounded  existential  quantifiers  in  some  contexts. 


Notation.  If  P  is  a  second-order  variable,  then  P  denotes  a 
second-order  variable  whose  intended  interpretation  is  -iP. 

We  now  introduce  the  Horn  formulas  SEARCH^t.  which 
arc  nj  Horn  with  respect  to  all  of  their  second-order  vari¬ 
ables  and  which  will  allow  a  Ef-Horn  formula  to  rep¬ 
resent  32  <  bX{y.z).  Assuming  that  X  t-A  -lA^, 
SearcHa.(6,  6,  5,  S,  A^,  A)  asserts  that  S{y,i)  holds  iff 
X{y,z)  holds  for  some  z  <  i,  where  b  stands  for  bi,  ...,bi;, 
and  y  stands  for  yi,...,yk-  We  use  y  <  6  for  yi  < 
bi  A  ...  Ayt  <  bk. 

Definition  4.2.  For  each  A:  >  1  SEARCHt(6, 6,  S,  S,  A^,  A) 
is  the  Hj  Horn  formula 

Vy  <6V)<6(-n5(y,0)A5(y,0)) 

A(-.5(y,2  +  1)  V  -^S{y,i  +  1)) 

A(5(j7,i)  ->  5(y,2  +  1)) 

F{X{yf)  -A  S{y,i  -1- 1)) 

/\{S{y,i)  AXiy,i)  S{y,i  +  1)) 

We  can  prove  in  Vj-Horn  that  this  definition  of  Search 
corresponds  to  a  bounded  existential  quantifier  in  the  above 
limited  sense. 

4.2  The  Ef  formulas  are  provabiy  equivalent  to 

Ef-Horn 

Consider  a  Ef  formula  Qiyi  <  hi. ..QkPk  <  bk(f>{y), 
where  each  Q,  is  either  V  or  3.  We  can  shows  how  to  con¬ 
join  copies  of  Search)...)  to  define  arrays  So, Sk  such 
that  Si{yi,...,yk~i)  ^  Qk-i+iyk-i+i  <  bk-i+ififj). 
These  arc  used  to  form  an  equivalent  Ef-Horn  formula. 

The  proof  of  this  fact  proceeds  by  induction.  For  the  base 
case,  we  define  So(0)  =  0(y)  and  So(0)  =  -^<p{y)  (we  can 
negate  a  quantifier-free  formula).  For  the  induction  step,  to 
get  the  arrays  Si+i  and  S,+i  we  search  the  values  of  S,  and 
S,  for  cither  a  witness  or  counterexample,  based  on  whether 
the  i"‘  quantifier  of  the  original  formula  is  3  or  V. 

Corollary  4.3.  Every  Ef  formula  is  provabiy  equivalent  in 
V\-Horn  to  a  Tif  -Horn  formula. 

4.3  Collapse  of  V-Horn  to  Vj-Horn 

Gradcl  [14]  showed  that  it  is  possible  to  represent  a 
503-Horn  formula  preceded  by  alternating  SO  quanti¬ 
fiers  by  a  503-Horn  formula,  which  implies  the  collapse 
of  50-Horn  hierarchy  to  503-Horn.  We  can  formalize 
GradeVs  proof  in  Vj-Horn,  showing  that  Ef-Horn  formu¬ 
las  arc  closed  under  second-order  quantification.  That  is,  a 
Ef-Horn  formula  preceded  by  a  sequence  of  (possibly  al¬ 
ternating)  second-order  quantifiers  is  equivalent  (provabiy 
in  Vj-Horn)  to  a  Ef-Horn  formula. 
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5  Encoding  the  Horn  SAT  algorithm  by  a 
Sf -Horn  formula 

Here  we  show  that  a  run  of  the  Horn  satisfiability  algo¬ 
rithm  described  in  the  proof  of  Theorem  2.3  can  be  repre¬ 
sented  by  a  Sf -Horn  formula  Run.  This  result  is  needed 
for  sections  6  and  7.  A  simple  corollary  is  that  the  negation 
of  a  Sf -Horn  formula  is  provably  equivalent  to  a  Ef -Horn 
formula.  In  other  words,  Vi-Horn  proves  that  P  is  closed 
under  complementation. 

Theorem  5.1.  Let  ^  be  a  -Horn  formula  which  does 
not  involve  R  or  R.  Then  there  is  a  formula  RUN4,(J?,  R) 
whose  free  variables  include  those  of  $  in  which  the  only 
atomic  subformulas  involving  R  and  R  are  R{Qi)  and  .R(O) 
and  such  that  3R3RRVNi^{R,  R)  is  a  "Ef  -Horn  formula 
and  Vi  -Horn  proves  the  following: 

(i)  3R3RRvn^(R,R) 

(m)  RUN(i)(ii,  .R)  — >  [(R(0)  $)  A  (R(0)  ~‘^)] 

In  the  proof  of  this  theorem,  it  is  sufficient  to  consider 
only  Ef -Horn  formulas  with  one  existential  second-order 
quantifier. 

Corollary  5.2.  //$  is  Ef  -Horn,  then  -i#  is  provably  equiv¬ 
alent  in  Vi-Horn  to  a  Ef -Horn  formula  Neg^,. 

Corollary  5.3.  The  class  of  formulas  provably  equivalent 
in  Vi-Horn  to  a  Ef -Horn  formula  is  closed  under  -i,  A,  V, 
and  bounded  first-order  quantification. 

This  follows  from  lemmas  3.6  and  4. 1 ,  and  corollary  5.2. 

Theorem  5.1  can  be  generalized  to  the  case  in  which  ar¬ 
rays  R{y)  and  R{y)  code  values  of  $(y)  and 

Corollary  5.4.  Let  $(j/)  be  a  Ef -Horn  formula  which 
does  not  involve  R  or  R.  Then  there  is  a  formula 
Run$(  (6,  R,  R)  which  does  not  have  yfree  but  whose  free 
variables  include  any  other  free  variables  of  $  such  that 
3R3.RRUNci,(y)  {R,  R)  is  a  Ef  -Horn  formula  and  \\-Horn 
proves  the  following; 

(i)  3R3R  RuNq,(y)(b,  R,  R) 

(a)  RUN$(y)  (6,  R,  R)  — > 

Vy  <  b[(R(y)  o  $(j/))  A  (R(y)  -#(j/))] 

The  algorithm  we  wish  to  represent  has  two  main  steps 
(see  the  proof  of  Theorem  2.3):  First  create  a  propositional 
Horn  formula  Horn[$]  (which  depends  on  the  values  for 
the  free  variables  in  $),  and  second  apply  the  Horn  Sat  al¬ 
gorithm  to  determine  whether  Horn[$]  is  satisfiable.  We 
encode  $  in  Horn[$]  using  an  array  Q,  and  we  will  present 
a  Ef-Horn  formula  Prop$((5,(3)  which  defines  this  ar¬ 
ray  and  its  negation.  Besides  the  indicated  free  variables, 
Prop$  also  has  as  free  variables  the  free  variables  of  #. 


For  the  second  step  we  present  a  Ef-Horn  formula 
HORNSAT(a,  6,  Q,  Q,  R,  R)  (with  all  free  variables  indi¬ 
cated)  which  is  independent  of  $  and  which  sets  the  result 
variable  R(0)  true  iff  Horn[$]  is  satisfiable.  The  encoding 
Q  consists  of  three  parts:  C{x,v),  D{x,v)  and  V{x).  The 
first  two  assert  that  a  clause  x  contains  a  positive  (resp.  neg¬ 
ative)  literal  v;  the  last  states  that  the  clause  x  is  true.  All 
formulas  defining  Q  and  Q  are  Ef . 

We  can  now  choose  RUN$(R,  R)  to  be  a  Ef-Horn  for¬ 
mula  such  that 

Run$(R,R)  o 

3Q[Prop$(Q)  a  HORNSAT(a,  6,  Q,R,R)] 

In  fact  we  take  RUN$(R,  R)  to  be  a  suitable  prenex  form 
of  the  right  hand  side. 

5.1  Definition  of  Prop$(Q,  Q) 

We  define  three  Ef  formulas 
tpc{x,v),ipD{x,v),’il:v{x)  which  characterize  the  three 
arrays  C,D,V . 

Lemma  5.5._  ProP4>(Q)  can  be  defined  in  such  a  way  that 
3(5Prop$((5)  is  Ef -Horn  and  Vi-Horn  proves 

(i)  3<5ProP4>((5) 

(ii)  Prop<3>(Q)  — >  Vu  <  CL^x  <  b 

[{C{x,v)  tA  tjjc{x,v))  A  {C{x,v)  -^xl)c{x,v)) 

A  {D{x,v)  tpD{x,v))  A  {D{x,v)  o  -'xPd{x,v)) 

A  {V{x)  tpvix))  A  (F(a;)  o  ^fivix))] 

5.2  Definition  of  HORNSAT(a,  b,  Q,  Q,  R,  R) 

Although  the  Horn  satisfiability  algorithm  is  easy  to  de¬ 
scribe  informally,  it  is  not  straightforward  to  formalize  in 
Hi -Horn.  The  propositional  Horn  satisfiability  problem  is 
complete  for  P,  [16],  and  hence  cannot  be  represented  by  a 
Ef  formula. 

The  algorithm  represented  by 

HORNSAT(a,  6,  Q,  <5,  R,  R)  attempts  to  find  a  satisfy¬ 
ing  assignment  to  the  Horn  formula  Horn[$]  described  by 
the  parameters  a,  6,  Q.  This  is  done  by  filling  in  an  array 
T(t,v),  where  T{t,v)  is  the  truth  value  assigned  to  the 
atom  P{v)  after  step  t,  0  <  t,v  <  a.  Initially  T{0,v)  is 
false,  and  at  step  t  l,T{t  l,v)  sets  each  P{v)  true  such 
that  P{v)  occurs  positively  in  some  clause  not  satisfied 
after  step  t.  Once  P{v)  is  set  true,  it  is  never  changed  to 
false. 

Defining  TDef  to  be  the  formula  encoding  the  truth  as¬ 
signment  array  T  and  Sat  a  formula  stating  that  the  result¬ 
ing  truth  assignment  tI"!  satisfies  Horn[$],  the  rest  of  the 
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algorithm  is  encoded  by 

HORNSAT(a,  b,  (5,i?,  = 

3T3f[TDEF(n,fo,Q,T,f)A  (7) 

Lemma  5.6  (Correctness  of  HornS AT).  Vi -Horn  proves 

HORNSAT(a,  b,  Q,  R,  R)  A  Neg  -> 

(i?,(0)  fA  3riSAT(n,6,Q,Ti)) 

A(^(0)  <->  -3riSAT(a,6,Q,ri)), 

where  Neg  states  that  Q  o  -iQ. 

Full  details  can  be  found  in  [7], 

6  Equivalence  of  l/i-Horn,  P-def  and  QPV 

The  first-order  theory  QPV  (called  PVI  in  [20])  has 
function  symbols  for  all  polynomial-time  computable  func¬ 
tions,  and  the  axioms  include  defining  equations  for  these 
functions  (based  on  Cobham’s  Theorem)  and  induction  on 
the  length  of  numbers.  The  theory  has  been  extensively 
studied  [8,  3,  12,  20,  10]  and  shown  to  robustly  capture 
the  notion  of  “polynomial-time  reasoning”.  Zambclla’s  [31] 
theory  P-dcf  is  a  second-order  version  of  QPV,  and  can 
shown  to  be  equivalent  to  QPV  by  the  method  of  RSUV  iso¬ 
morphism  (sec  [20]),  We  show  that  i'l-Horn  is  equivalent 
in  power  to  P-dcf.  This  implies  that  V'l-Horn  is  equivalent 
in  power  to  QPV,  but  is  most  likely  not  as  powerful  as  S\ 
(sec  Section  I). 

We  add  function  symbols  to  V'l-Horn  by  defining 
their  bit  graphs  by  Ef-Horn  formulas,  obtaining  a  sys¬ 
tem  Vi-Horn(FP)  of  the  same  power  as  )  i-Horn.  Then, 
we  prove  the  equivalence  (provable  both  in  P-dcf  and 
Vi-Horn(FP))  of  functions  defined  with  Ef-Horn  formu¬ 
las  and  function  defined  by  Cobham’s  theorem.  Finally,  we 
show  that  the  classes  of  theorems  of  1  i-Horn(FP)  and  theo¬ 
rems  of  P-dcf  coincide.  The  main  result  of  this  section  is: 

Theorem  6.1.  ?-clef  is  a  conservative  extension  of\  \ -Horn. 

1  Finite  Axiomatizability 

Here  we  .show  that  both  and  T'l-Horn  arc  finitely  ax- 
iomati/.ablc,  and  that  the  VEf  consequences  of  Iq-Horn 
and  the  VEj  con.scqucnccs  of  5^  arc  each  finitely  axiom- 
atizable,  (Theorem  10,1.2  of  [20]  states  that  the  VE^'  con¬ 
sequences  of  S\  arc  finitely  axiomatizablc  for  j  >  2  and 
i  >  1.) 

Since  V'*  defines  the  uniform  AC°  functions,  it  seems 
plausible  that  V'l  -Horn  could  be  axiomatized  by  )  together 


with  a  formula  expressing  the  comprehension  axiom  for 
.some  predicate  which  is  complete  for  P  under  uniform  AC° 
reductions.  Hence  the  finite  axiomatizability  of  Vi-Horn 
should  follow  from  that  for  V°.  In  our  proof  of  Theorem 
7.5  below,  that  predicate  is  the  Horn  satisfiability  problem, 
which  is  complete  forP  [16], 

Theorem  7.1.  is  finitely  axiomatizahle. 

Proof.  We  must  show  that  all  Ejf*-COMP  axioms  follow 
from  finitely  many  theorems  of  V°  (sec  section  3). 

Let  2  —  BASIC^  (or  simply  i?+)  denote  the  2  — 
BASIC  axioms  along  with  finitely  many  theorems  of  V® 
asserting  basic  properties  of  -f  and  ■  such  as  commutativ¬ 
ity,  as.sociativity,  distributive  laws,  and  cancellation  laws 
involving  +,  •,  and  <.  These  can  be  proved  from  the 
2  —  BASIC  axioms  by  induction  on  E^  formulas,  as  dis¬ 
cussed  in  Section  3. 

It  suffices  to  show  that  A’-ary  comprehension  (6)  for  all 
formulas  follow  from  and  finitely  many  such  com¬ 
prehension  instances.  We  use  the  notation  <F[rt,  to  in¬ 

dicate  that  the  E^  formula  <1>  can  contain  the  free  variables 
o,  Q  in  addition  to  x  =  Xi , ...,  .tj..  Then  COM Q,  b) 
denotes  the  comprehension  formula 

31'  <  6, )V.r,  <  b,...Yx,  <  b,{Y{x)  fA  $(;r)) 

We  can  show  that  there  are  only  1 2  formulas  <I>i , . . . ,  $12 
for  which  we  need  instances  COMPi,  of  comprehension 
scheme.  For  example.  $1 ,  $2  ttncl  ttre: 

$  1  (.r  1 , .To )  =  3t/  <  T I  (t I  =  {x-> ,  y)) 

<F2(.ri..T2)  =  3z  <  T|(,ri  =  {z,x-,)) 

Qe](.ri ,  x-,)  =  3?;  <  Ti  (Qj  (ti  ,  y)  A  Q^iy,  x-,)) 

In  the  following  lemmas,  we  abbreviate  COM P,\,fi...) 
by  Cj.  The  lemmas  state  that  projection,  terms  and  finally 
atomic  formulas  can  be  defined  using  finitely  many  axioms 
of  V", 

Lemma  7.2.  For  each  k  >  2  and  \  <  i  <  k  let 

z)  =  3x1  <  2/  •  •  •  3x,_^i  <  ;i/3.r,+  |  <?/...  3.7.7.  <  V 
[y  =  (xi....,x,_i,2,x,+  i,...,x/,.)) 

Then 

B+,  Cl,  0-2,0:^  F  COM  P.1,,, 

Lemma  7.3.  Let  t{x)  be  a  term  which  in  addition 
to  variables  x  may  involve  other  variables  a,  Q.  Let 
^i[n,Q]{x.y)  =  y  =  t{x).  Then 

B+,Ci, ...,  C’c  F  COMP.^,  {d.  0,  b,  d) 

Lemma  7.4.  Let  /i  (.r),  Q]-':)  be  terms  with  variables 
among  x,  a.Q.  Suppose 
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vp'i[a,(5](a;)  =  ti{x)  =  t2{x) 

^'2(5,  Q](i)  =  ^l(^)  <  t2ix) 

<fs[a,Q,X]{x)  =  X{h{x)) 

Then  Cg  h  COMP^.,fori  =  1,2,3. 

Now  we  can  complete  the  proof  of  the  theorem.  Lemma 
7.4  takes  care  of  the  case  when  $  is  an  atomic  formula.  Let 

^io[Q](a;)  =  -'Qix) 

$ii[Qi,<32](a;)=  (3i(a:)  A  <52(2:) 

#i2[Q,c](a;)  =\fy  <cQ{x,y) 

Now  by  repeated  applications  of  COMP^.^^  and 
COMPip^^  we  handle  the  case  in  which  $  is  quantifier- 
free. 

Now  suppose  $(x)  =  Vy  <  t{x)(f){x,y).  We  assume  as 
an  induction  hypothesis  that  we  can  define  Q  satisfying 

\/x  <  6Vy  <  t{b)  +  l[Q{x,y)  ^  {y  <  t{x)  <A(J,y)] 

Then  COMP<t(b)  follows  from  COMP^^^{Q,c,b)  with 
c  t- f(6)  and  6  t- (61, ...,  fefc).  □ 

Theorem  7.5.  Vi-Horn  is  finitely  axiomatizable. 

Proof.  It  suffices  to  show  that  Corollary  5.4  (i)  and  (ii)  can 
be  proved  for  any  Ef-Horn  formula  $(y)  using  finitely 
many  theorems  of  Li-Horn  as  axioms.  We  first  will  show 
how  to  do  this  for  Theorem  5. 1  (i)  and  (ii),  and  then  explain 
how  to  modify  the  proof  to  get  the  corollary. 

First  note  that  for  each  Sf -Horn  formula  $  we  can  de¬ 
fine  a  version  of  Prop$  such  that  (i)  and  (ii)  in  Lemma  5.5 
are  theorems  of  Thus  we  include  the  finite  set  of  ax¬ 
ioms  for  from  Theorem  7.1  among  the  finite  axioms  for 
Vi-Horn.  The  proof  of  Theorem  5.1  depends  onLemma5.5 
(which  we  have  established)  and  some  properties  of  HORN- 
Sat.  Since  HornSat  is  independent  of  we  can  take 
these  properties  as  axioms. 

To  generalize  the  proof  of  Theorem  5. 1  in  order  to  prove 
Corollary  5.4,  we  incorporate  the  variable  y  in  $(y)  as  an 
argument  of  each  of  the  arrays  C,  D,  V,  C,  D,  V  to  define 
the  formula  PROP$(y)  in  a  modified  Lemma  5.5.  Then  y  is 
not  free  in  PROP$(y)  (although  it  could  be  free  in  Prop$). 
The  definition  (7)  of  HornSat  is  modified  so  that  the  pa¬ 
rameter  y  is  incorporated  as  an  argument  of  each  of  the  ar¬ 
rays  R,R,T,T.  Then  Corollary  5.4  follows  in  the  same 
way  as  Theorem  5 . 1 .  □ 

Theorem  7.6.  Vi  -Horn  is  axiomatized  by  its  VEf  conse¬ 
quences. 

Proof.  It  suffices  to  show  that  each  Sf-Horn  compre¬ 
hension  axiom  is  a  consequence  of  VSf  theorems  of 
1^1 -Horn.  First  we  show  that  the  second-order  quantifiers 
in  Ef-Horn  formulas  (1)  can  be  bounded.  That  is,  for  each 
Ef-Horn  formula  $  there  is  a  Ef  formula  such  that 


VSf  Fi-Horn  f-  ($  -pa  To  construct  replace  each 
second-order  quantifier  3P  in  #  by  a  bounded  quantifier 
3P  <  t,  where  f  is  a  provable  upper  bound  on  all  terms 
u  such  that  P{u)  occurs  in  $.  The  equivalence  of  $  and 
requires  only  $-COMP  instances  for  formulas  $  with 
no  second-order  quantifiers,  and  these  instances  are  VEf 
formulas. 

The  comprehension  axiom  (5)  for  $(2)  follows  from 
Corollary  5.4  (i)  and  (ii).  The  Ef  form  of  (i)  we  need  is 

3R  <  ySR  <  y  (y ,  R,  R) 

where  RUN^^^j  has  suitable  bounds  on  its  second-order 
quantifiers.  For  (ii)  we  do  not  need  the  clause  involving 
R.  If  we  replace  $  by  then  a  suitable  prenex  form  of 
the  result  is  VEf .  □ 

Corollary  7.7.  The  VEf  consequences  of  Vi-Horn  are 
finitely  axiomatizable.  The  VEj  consequences  of  are 

finitely  axiomatizable. 

Proof.  The  first  sentence  follows  by  compactness  from 
Theorems  7.6  and  7.5.  Since  is  VEf  conservative  over 
P-def  [3 1  ],  it  follows  from  Theorem  6. 1  that  the  VEf  conse¬ 
quences  of  and  of  Fi-Horn  are  the  same,  and  hence  are 
finitely  axiomatizable.  The  second  sentence  of  the  Corol¬ 
lary  is  equivalent  to  asserting  that  the  VEf  consequences 
of  are  finitely  axiomatizable,  by  the  RSUV  isomor¬ 
phism.  □ 

8.  Conclusion 

The  original  motivation  for  this  paper  was  to  make  a  con¬ 
nection  between  descriptive  complexity  and  bounded  arith¬ 
metic.  Specifically  we  use  Gradel’s  theorem  that  a  predicate 
is  polynomial-time  iff  it  corresponds  to  the  finite  models  of 
some  second-order  Horn  formula,  and  define  a  second-order 
theory  based  on  a  comprehension  axiom  scheme  essentially 
over  the  second-order  Horn  formulas.  The  resulting  theory 
Fi-Horn  turns  out  to  have  the  same  power  as  the  previously- 
defined  theories  QPV  and  P-def  but  the  proof  of  equiva¬ 
lence  is  nontrivial  and  requires  formalizing  the  Horn  satis¬ 
fiability  algorithm  in  1'1-Horn.  Unlike  QPV  and  P-def,  our 
theory  Vi-Horn  turns  out  to  be  finitely  axiomatizable,  and 
this  has  consequences  for  the  important  theory  S] . 

It  seems  plausible  that  characterizations  of  other  com¬ 
plexity  classes  in  descriptive  complexity  can  be  used  to  de¬ 
fine  related  theories.  In  particular,  Gradel[15]  uses  second- 
order  Krom  formulas  to  characterize  NL  (nondeterministic 
log  space),  and  this  might  serve  a  basis  for  a  theory  of  log 
space  reasoning. 

Although  we  do  not  exploit  them  in  this  paper,  bounded 
arithmetic  has  important  connections  with  propositional 
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proof  complexity  (sec  [20]).  The  main  goal  of  the  lat¬ 
ter  is  to  establish  super-polynomial  lower  bounds  on  the 
lengths  of  proofs  in  various  propositional  proof  systems.  (If 
this  could  be  done  for  all  “reasonable”  such  systems  then 
NP  ^  coNP  and  hence  NP  ^  P  [11].)  [8]  showed  that  every 
theorem  of  PV  can  be  expressed  as  a  family  of  tautolo¬ 
gies  with  polynomial  size  proofs  in  a  so-called  Extended- 
Frege  proof  system.  A  host  of  similar  results  has  been 
proved  since.  In  the  case  of  some  weak  theories  T  the  cor¬ 
responding  propositional  proof  system  is  sometimes  weak 
enough  that  super-polynomial  lower  bounds  are  provable, 
and  then  independence  results  for  T  follow  [24].  We  know 
indirectly  from  [8]  that  the  theorems  of  Ei-Horn  trans¬ 
late  into  tautology  families  with  polynomial-size  Extended- 
Frege  proofs.  It  might  be  instructive  to  carry  out  this  transla¬ 
tion  directly,  possibly  shedding  light  on  the  central  and  very 
difficult  problem  of  proving  superpolynomial  lower  bounds 
for  Extended-Frege  systems. 

References 

[1]  D.  M.  Barrington,  N.  immerinan,  and  H.  Straubing.  On  uni¬ 
formity  within  NC'’  ■  Journal  of  Computer  and  System  5a- 

41(.'t):274-.t0,  1990. 

[2]  S,  Buss.  Collection  of  papers.  URL: 

’■rtp;//cuclid.ucsd.cdu/pub/sbu,ss/rcscarch/’'. 

[3]  S.  Buss.  Bounded  Arithmetic.  Bibliopolis,  Naples.  1986. 

[4]  S.  Buss.  Axiomatizations  and  conservation  results  for  frag¬ 
ments  of  bounded  arithmetic.  Contemporary  Mathematics, 
106:. 6 7-84,  1990. 

[5]  S.  Buss.  Relating  the  bounded  arithmetic  and  polynomial 
time  hierarchies.  Annals  of  Pure  and  Applied  Logic.  15:(CI- 
77,  1995. 

[6]  S.  Buss,  editor.  Handbook  of  Proof  Theory.  Elsevier,  Ams¬ 
terdam,  1998. 

[7]  S.  Cook  and  A.  Kolokolova.  A  second-order  system 
for  polynomial-time  reasoning  based  on  Gracdcl’s  theo¬ 
rem.  Electronic  Colloquium  on  Computational  Complexity 
(ECCCfTRO  1-024,  2001. 

[8]  S.  A.  Cook.  Feasibly  constructive  proofs  and  the  proposi¬ 
tional  calculus.  In  Proceedings  of  the  Seventh  Annual  ACM 
Symposium  on  Theory  of  Computing,  pages  83  -97,  1975. 

[9]  S.  A.  Cook.  CSC  2429S:  Proof  Complexity 
and  Bounded  Arithmetic.  Course  notes.  URL: 
"http://www.es, toronto.edu/~sacook/csc2429h”.  Spring 
1998. 

[10]  S.  A.  Cook.  Relating  the  provable  collapse  of  P  to  A'C' 
and  the  power  of  logical  theories.  DIMACS  series  in  Dis¬ 
crete  mathematics  and  theoretical  computer  science,  39:73- 
91,  1998, 

[11]  S.  A.  Cook  and  A.  R.  Rcckhow.  The  relative  efficiency  of 
propositional  proof  systems.  Journal  of  Symbolic  Logic. 
44(l):36-50,  1979. 

[12]  S.  A.  Cook  and  A.  Urquhart.  Functional  interpretations  of 
feasibly  constructive  arithmetic.  Annals  of  Pure  and  Applied 
Logic,  63t2):103  -200.  1993. 


[13]  R.  Fagin.  Generalized  first-order  spectra  and  polynomial- 
time  recognizable  sets.  Complexity  of  computation,  SIAM- 
AMC  proceedings,  7:43-73,  1974. 

[14]  E.  Griidcl.  The  Expressive  Power  of  Second  Order  Horn 
Logic.  In  Proceedings  of  8th  Symposium  on  Theoretical  As¬ 
pects  of  Computer  Science  STACS  ‘91,  Hamburg  1991 ,  vol¬ 
ume  480  of  LNCS,  pages  466-477.  Springer- Verlag,  1991. 

[15]  E.  Griidel.  Capturing  Complexity  Classes  by  Fragments 
of  Second  Order  Logic.  Theoretical  Computer  Science, 
101:35-57,  1992, 

[16]  R.  Greenlaw,  H.  J.  Hoover,  and  W.  L,  Ruzzo.  Limits  to  Par¬ 
allel  Computation.  Oxford  University  Press,  1995. 

[17]  P.  Hajek  and  P.  Pudlak.  Metamathematics  of  First-Order 
Arithmetic.  Springer,  Berlin,  1998, 

[18]  N.  Immerman.  Relational  queries  computable  in  polytime. 
Information  and  Control,  68:86  -104,  1986. 

[19]  N.  Immerman.  Descriptive  complexity.  Springer  Verlag, 
New  York,  1999. 

[20]  J.  Krajicek.  Bounded  Arithmetic,  Propositional  Logic,  and 
Complexity  Theory.  Cambridge  University  Press,  New  York, 
USA,  1995. 

[21]  J.  Krajicek,  P.  Pudlak,  and  G.  Takcuti.  Bounded  arithmetic 
and  the  polynomial  time  hierarchy.  Annals  of  Pure  and  Ap¬ 
plied  Logic.  52: 143-1 53,  1991. 

[22]  D.  Lcivant.  Characterization  of  complexity  classes  in 
higher-order  logic.  In  Proceedings  of  the  Second  Annual 
Conference  on  Structure  in  Complexity  Theory,  pages  203- 
217,  1987. 

[23]  D.  Lcivant.  Descriptive  characterizations  of  computational 
complexity.  Journal  of  Computer  and  System  Sciences, 
39:51-83,  1989. 

[24]  J.  Paris  and  A.  Wilkie.  Counting  problems  in  bounded  arith- 
mclcs.  In  Methods  in  mathematical  logic,  volume  LNM 
1 130,  pages  317  -  340.  Springer  Verlag,  1985. 

[25]  A.  Razborov.  An  equivalence  between  second-order 
bounded  domain  bounded  arithmetic  and  first-order 
bounded  arithmetic.  In  P.  Clote  and  J.  Krajicek,  editors. 
Arithmetic,  proof  theory  and  computational  complexity, 
pages  241-211 .  Clarendon  Press,  Oxford,  1993. 

[26]  A.  Razborov.  Bounded  arithmetic  and  lower  bounds  in 
boolean  complexity.  In  P,  Clote  and  J.  Rcmmcl,  editors.  Fea¬ 
sible  Mathematics  II.  pages  344-386.  Birkhiiuscr,  1995. 

[27]  U.  Schoning  and  R.  Pruim.  Gems  of  theoretical  computer 
science.  Springer,  Berlin,  1998, 

[28]  L.  J.  Slockmcycr,  The  polynomial-time  hierarchy.  Theoret¬ 
ical  Computer  Science,  3:1-22,  1977. 

[29]  G.  Takcuti.  RSUV  isomorphism.  In  P.  Clote  and  J.  Krajicek, 
editors.  Arithmetic,  proof  theory  and  computational  com¬ 
plexity.  pages  364-386.  Clarendon  Press,  Oxford,  1993. 

[30]  M.  Vardi,  Complexity  of  relational  query  languages.  Infor¬ 
mation  and  Control.  68:137  -146,  1986. 

[31]  D.  Zambclla.  Notes  on  polynomially  bounded  arithmetic. 
The  Journal  of  Symbolic  Logic.  61(3):942-966,  1996. 


186 


The  Crane  Beach  Conjecture 


David  A.  Mix  Barrington  * 
Computer  Science  Department 
University  of  Massachusetts 
barring@cs . umass . edu 

Clemens  Lautemann 
Institutfur  Informatik 
Johannes  Gutenberg-Universitat  Mainz 
cl@inf ormatik . uni-mainz . de 


Neil  Immerman  ^ 

Computer  Science  Department 
University  of  Massachusetts 
iiTiinerman@cs  .  umass  .  edu 

Nicole  Schweikardt 
Institutfur  Informatik 
Johannes  Gutenberg-Universitat  Mainz 
nisch@inf ormatik . uni-mainz . de 


Denis  Therien  ^ 
School  of  Computer  Science 
McGill  University 
denis@cs .mcgill . ca 


Abstract 

A  language  L  over  an  alphabet  A  is  said  to  have  a  neutral 
letter  if  there  is  a  letter  e  E  A  such  that  inserting  or  deleting 
e  ’s  from  any  word  in  A*  does  not  change  its  membership  (or 
non-membership)  in  L. 

The  presence  of  a  neutral  letter  affects  the  definability  of  a 
language  in  first-order  logic.  It  was  conjectured  that  it  ren¬ 
ders  all  numerical  predicates  apart  from  the  order  predicate 
useless,  i.e.,  that  if  a  language  L  with  a  neutral  letter  is  not 
definable  in  first-order  logic  with  linear  order,  then  it  is  not 
definable  in  first-order  logic  with  any  set  ff  of  numerical 
predicates. 

Wfe  investigate  this  conjecture  in  detail,  showing  that  it  fails 
already  for  fif  =  {  +  ,*},  or,  possibly  stronger,  for  any  set  fif 
that  allows  counting  up  to  the  m  times  iterated  logarithm, 
\g^'^\for  any  constant  m. 

On  the  positive  side,  we  prove  the  conjecture  for  the  case 
of  all  monadic  numerical  predicates,  for  ff  =  {+},  for 
the  fragment  BC{12i)  of  first-order  logic,  and  for  binary- 
alphabets. 
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1  Introduction 

Logicians  have  long  been  interested  in  the  relative  expres¬ 
sive  power  of  different  logical  formalisms.  In  the  last 
twenty  years,  these  investigations  have  also  been  motivated 
by  a  close  connection  to  computational  complexity  theory 
—  most  computational  complexity  classes  have  been  given 
characterisations  as  finite  model  classes  of  appropriate  log¬ 
ics,  cf.  [Imm98].  In  these  investigations  it  became  apparent 
that  in  order  to  describe  computation  over  a  finite  structure, 
a  formula  has  to  be  able  to  refer  to  some  linear  order  of  the 
elements  of  this  structure.  Given  such  an  order,  the  universe 
of  the  structure,  i.e.,  the  set  of  its  elements,  can  be  identified 
with  an  initial  segment  of  the  natural  numbers.  In  a  logic 
with  the  capability  to  express  induction  we  can  then  define 
predicates  for  arithmetical  operations  such  as  addition  or 
multiplication  on  the  universe,  and  use  them  in  order  to  de¬ 
scribe  operations  on  time  or  memory  locations.  In  weak 
logics,  however,  e.g.,  first-order  logic,  defining  an  order  re¬ 
lation  does  not  automatically  make  arithmetic  available.  In 
fact,  even  over  strings,  the  expressive  power  of  first-order 
logic  varies  considerably,  depending  on  the  set  of  numerical 
predicates  that  can  be  used. 

As  an  example,  if  the  order  is  the  only  numerical  rela¬ 
tion  then  the  only  regular  languages  that  can  be  defined 
in  first-order  logic  are  the  star-free  languages.  If,  how¬ 
ever,  for  every  p  £  N  we  have  available  the  predicate  modp 
(which  holds  for  a  number  m  iff  m  =  0  (mod  p))  then 
we  can  express  regular  languages  that  are  not  star-free. 
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such  as  (000  +  001)*.  In  fact,  with  these  predicates  we 
can  express  all  the  first-order  definable  regular  languages, 
cf.  [Str94].  Thus,  even  very  powerful  relations  (arithmetical 
relations,  or  even  undecidable  ones)  are  of  no  further  help 
in  defining  regular  languages.  On  the  other  hand,  with  ad¬ 
dition,  we  can  express  languages  that  are  not  regular,  such 
as{0"r7nGN}. 

First-order  logic  with  varying  numerical  predicates  can  also 
be  thought  of  as  specifying  circuit  complexity  classes  with 
varying  uniformity  conditions  [BIS90].  The  language  de¬ 
fined  by  a  first-order  formula  is  naturally  computed  by  a 
family  of  boolean  circuits  with  constant  depth,  polynomial 
size,  and  unbounded  fan-in  (called  “zlC®  circuits”).  The 
power  of  such  a  family  depends  in  part  on  the  sophistication 
of  the  connections  among  the  nodes.  A  formula  with  only 
simple  numerical  predicates  leads  to  a  circuit  family  where 
these  connections  are  easily  computable.  These  are  called 
“uniform  circuits”,  and  how  uniform  they  arc  is  quantified 
by  the  computational  complexity  of  a  language  de.scribing 
the  connections.  A  formula  with  arbitrary  numerical  predi¬ 
cates  leads  to  a  circuit  family  with  arbitrary  connections  — 
the  set  of  languages  so  deseribabic  is  called  “non-uniform 
AC””. 

There  arc  languages,  such  as  the  PARITY  language,  for 
which  we  can  prove  no  AC°  circuit  exists  [Ajt83,  FSS84]. 
A  major  open  problem  in  complexity  theory  is  to  develop 
methods  for  showing  languages  to  be  outside  of  uniform  cir¬ 
cuit  complexity  clas.ses  even  if  they  are  in  the  corrc.sponding 
non-uniform  class.  This  is  an  additional  motivation  for  the 
study  of  the  expressive  power  of  first-order  logic  with  vari¬ 
ous  numerical  predicates,  as  this  provides  a  parametrization 
of  various  versions  of  “uniform  AC°". 

In  an  attempt  to  obtain  a  better  understanding  of  this  expres¬ 
sive  power,  Thcricn  considered  the  concept  of  a  neutral  let¬ 
ter  for  a  language  L,  i.e.,  a  letter  e  that  can  be  inserted  into 
or  deleted  from  a  string  without  affecting  its  membership  in 
L.  Since,  in  the  presence  of  such  a  letter,  membership  in  L 
cannot  depend  on  specific  (combinations  oO  letters  being  in 
specific  (combinations  oQ  positions,  it  seemed  conceivable 
that  neutral  letters  would  render  all  numerical  predicates, 
except  for  the  order,  useless.  With  this  in  mind,  Thcricn 
proposed  what  was  later  dubbed  the  Crane  Beach  Conjec¬ 
ture: 

If  a  language  with  a  neutral  letter  can  be  defined 
in  first-order  logic  using  some  set  N  of  numerical 
predicates  then  it  can  be  so  defined  using  only  the 
order  relation. 

One  particular  example  of  a  language  with  a  neutral  letter  is 
PARITY,  consisting  precisely  of  those  O-l-strings  in  which 
1  occurs  an  even  number  of  times.  PARITY  is  not  definable 
in  first-order  logic  -  no  matter  what  numerical  predicates 


arc  used  (cf.  [AJt83,  FSS84]).  The  Crane  Beach  conjecture 
would  imply  this  result,  since  PARITY  is  a  regular  language 
known  not  to  be  star-free. 

In  this  paper,  we  investigate  the  Crane  Beach  conjecture  in 
detail.  We  first  show  that  in  general  it  is  not  true  —  in  fact, 
it  already  fails  for  M  =  {+,*}.  However,  we  also  show 
that  the  conjecture  is  true  in  a  number  of  interesting  special 
cases,  including  the  case  of  addition,  i.e.,  when  J\f  =  {-b}. 

This  work  is  closely  related  to  a  line  of  research  in  data 
base  theory  which  is  concerned  with  so-called  collapse  re¬ 
sults  (cf.  [BLOO]).  Here  one  considers  a  finite  data  base 
embedded  in  some  infinite,  ordered  domain,  and  then  looks 
at  locally  generic  queries,  i.e.,  queries  which  arc  invariant 
under  monotone  injections  of  the  data  base  universe  into  the 
larger  domain.  In  this  setting,  a  language  with  a  neutral  let¬ 
ter  is  the  special  case  of  a  locally  generic  (Boolean)  query 
over  monadic  databases  with  background  structure  (N,  7), 
and  the  conjecture  then  can  be  translated  into  a  collapse  for 
first-order  logic. 

We  will  come  back  to  this  in  connection  with  Theorem  3.12. 
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2  Preliminaries 
2.1  First-Order  Logic 

A  signature  is  a  set  cr  containing  finitely  many  relation,  or 
predicate,  symbols,  each  with  a  fixed  arity.  A  a-structurc 
21  =  (U'^,  consists  of  a  set  W'*,  called  the  universe  of 
21  and  a  set  cr"'  that  contains  an  interpretation  C 
for  each  A;-ary  relation  symbol  R  E  a. 

In  this  paper,  we  arc  concerned  almost  exclusively  with 
first-order  logic  over  finite  strings.  In  this  context,  for  an 
alphabet  A  we  use  the  signature  a  a  {Qa  /  a,  £  A} 
and  identify  a  string  lu  =  u’l  ■  ■  ■  w,,,  €  A*  with  the  struc¬ 
ture  m  =  {{1, . . .  ,  n},  aj(},  where  a'Jl  =  {Q'f  /  a£A}  and 
Qn  =  {*  ^  ’T'  /  w';  =  “}•  i-c.  i  €  (5"’  Wi  =  a,  for  all 
a  e  A. 

In  addition  to  the  predicates  Qa  we  also  have  numerical 
predicates.  A  A:-ary  numerical  predicate  P  has,  for  every 


188 


n  6  N,  a  fixed  interpretation  P„  C  {1, . . .  Our  prime 
example  of  a  numerical  predicate  is  the  linear  order  rela¬ 
tion  <•  Where  we  see  no  danger  of  confusion  (i.e.,  almost 
everywhere)  we  will  not  distinguish  notationally  between  a 
predicate  and  its  interpretation. 

An  atomic  a-formula  is  either  of  the  form  2:1  =  X2, 
or  P{xi, ...  ,Xk),  where  xi,X2,  -  ■  ■  ,Xk  are  variables  and 
P  G  (7  is  a  k-ary  predicate  symbol.  First-order  cr-formulas 
are  built  from  atomic  cr-formulas  in  the  usual  way,  using 
Boolean  connectives  A,  V,  etc.  and  universal  (V  x)  and 
existential  (3  x)  quantifiers. 

For  every  alphabet  A,  and  every  set  Af  of  numerical  predi¬ 
cates,  we  will  denote  the  set  of  first-order  a  a  UA/-formuIas 
by  FO[Af].  We  define  semantics  of  first-order  formulas  in 
the  usual  way.  In  particular,  for  a  string  w  e  A*  and  a  for¬ 
mula  ip  G  FO[J\f]  without  free  variables  (i.e.,  variables  not 
bound  by  a  quantifier),  we  will  write  w  ip  \i  ip  holds  on 
the  string  w.  If  xi, ...  ,Xk  are  the  free  variables  of  ip,  and 
if  Pi,...  ,Pk  <  Ircl,  w  t=  p{pi,- .  •  ,Pk)  indicates  that  p 
holds  on  the  string  w  with  Xi  interpreted  as  pj,  for  every 
i  <  k. 

Every  formula  <p  G  FO[Af]  without  free  variables  defines 
the  set  of  those  A-strings  which  satisfy  <p.  We  say 
that  a  language  L  C  A*  is  definable  in  FO[Af\,  and  write 
L  G  FO[Ar\,  if  L  =  L^,  for  some  p  G  FO[Af].  We  will 
use  analogous  notation  for  subsets  of  FO[Ar|,  in  particular, 
we  will  consider  the  set  Si  [A/*|  of  formulas  which  are  of  the 
form  3xi  ■  ■  ■  3xr'fi,  for  some  quantifier-free  tp  G  FO[Af], 
and  its  Boolean  closure,  SC'(Si[A/]).  (One  can  define  a 
complete  hierarchy  of  classes  Si[A/]  and  ni[A^  along  with 
their  Boolean  closures,  using  the  hierarchy  of  first-order  for¬ 
mulas  given  by  the  number  of  quantifier  alternations.  But  in 
this  paper  we  will  have  need  only  for  PC(Sj[A/]). 

2.2  Ehrenfeucht-Frai'sse  Gaines 

One  of  our  main  technical  tools  will  be  (various  versions 
of)  the  Ehrenfeucht-Frai'sse  game.  In  our  context,  the 
Ehrenfeucht-Frai'sse  game  for  a  set  of  numerical  predicates, 
is  played  by  two  players.  Spoiler  and  Duplicator,  on  two 
strings  u,v  E  A*.  There  is  a  fixed  number  k  of  rounds,  and 
in  each  round  i 

•  first,  Spoiler  chooses  one  position,  ai  in  u,  or  a  position 
bi  in  u; 

•  then  Duplicator  chooses  a  position  in  the  other  string, 
i.e.,  a  bi  in  v,  if  Spoiler’s  move  was  in  u,  and  an  in 
u,  otherwise. 

After  k  rounds,  the  game  finishes  with  positions  ai , . . .  , 
chosen  in  u  and  61, . . .  ,bk  chosen  in  v.  Duplicator  has  won 
if  the  mapping  a;  i->  6j,  i  =  1, . . .  ,  fc,  is  a  partial  a  a  U  M- 
isomorphism,  i.e.,  if 


•  for  every  i,j  <k,ai  =  aj  4=>  bi  =  bj, 

•  for  every  i  <  k,  ai  and  bi  carry  the  same  letter,  i.e., 
Uai  =  ttbi .  and 

•  for  every  m-ary  predicate  P  E  Af,  and  every 

*1)  •  •  •  1  it  holds  that  P{ai^  ,■■■  , 

P{bi^,...  ,bi^). 

If  Duplicator  has  a  winning  strategy  in  the  /s-round  game 
for  AC  on  two  strings  u  and  v,  we  write  u  v.  The  funda¬ 
mental  use  of  the  game  comes  from  the  fact  that  it  charac¬ 
terises  first-order  logic  (c.f.,  e.g.,  [EFT94]).  In  our  context, 
this  can  be  formulated  as  follows: 

2.1  Theorem  (Ehrenfeucht,  Fra'isse) 

A  language  L  C  A*  is  definable  in  FO[Af]  iff  there  is  a 
finite  subset  Af  of  Af  and  a  number  k  such  that,  for  every 
u  E  L,v  ^  L,  Spoiler  has  a  winning  strategy  in  the  A: -round 
game  for  Af  on  u  and  v.  □ 

We  will  also  use  the  following  variant  of  the  game: 

In  the  single-round  fc-game  for  AC  on  two  strings  u,  v 

•  first.  Spoiler  chooses  k  positions  oi, . . .  ,  oj;  in  u,  or 
bi,...  ,bk  inu; 

•  then  Duplicator  chooses  k  positions  in  the  other  string, 
i.e.,  positions  bi,. . .  ,  6^  in  u,  if  Spoiler’s  move  was  in 
u,  ai, . . .  ,ak  in  u,  otherwise. 

Again,  Duplicator  wins  iff  the  mapping  at  i->  bi,  i  = 
1,...  ,/c,  is  a  partial  isomorphism.  Clearly,  if  Duplicator 
has  a  winning  strategy  for  the  single-round  fc-game  on  u 
and  V,  then  she  also  has  one  for  the  single-round  fi-game, 
for  all  h  <  k. 

This  game  characterises  the  expressive  power  of 
BC{^i[Af]y. 

2.2  Theorem 

A  language  L  C  A*  is  definable  in  5(7(21  [AC])  iff  there 
is  a  finite  subset  Af  of  Af  and  a  number  k  such  that,  for 
every  u  E  L,  v  ^  L,  Spoiler  has  a  winning  strategy  in  the 
single-round  A:-game  for  Af  on  u  and  v.  □ 

3  The  Crane  Beach  Conjecture 

Intuitively,  since  numerical  predicates  can  only  talk  about 
positions  in  strings,  it  seems  that  they  can  only  help  ex¬ 
press  properties  that  depend  on  certain  (combinations  of) 
letters  appearing  in  certain  (combinations  of)  positions.  The 
Crane  Beach  Conjecture  (named  after  the  location  of  its 
first,  flawed,  proof)  is  an  attempt  to  make  that  intuition  pre¬ 
cise. 
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3.1  Definition  (Neutral  letter) 

Let  L  C  A*.  A  letter  e  €  is  called  neutral  for  L  if  for 
any  u,v  £  A*  it  holds  that  uv  £  L  uev  6  L.  □ 

Thus  membership  in  a  language  with  a  neutral  letter  cannot 
depend  on  the  individual  positions  on  which  letters  are:  any 
letter  can  be  moved  away  from  any  position  by  insertion  or 
deletion  of  neutral  letters.  It  seems  therefore  conceivable 
that  for  every  such  language,  if  it  can  be  defined  at  all  in 
first-order  logic  then  it  can  be  defined  using  the  linear  order 
as  the  only  numerical  relation. 

3.2  Definition  (Crane  Beach  Conjecture) 

Let  Af  he,  ^  set  of  numerical  predicates.  We  say  that  the 
Crane  Beach  conjecture  is  true  for  Af,  iff  every  language 
L  £  FO[<,Af]  that  has  a  neutral  letter  is  also  definable  in 
FO[<].  □ 

It  turns  out  that  the  conjecture  is  true  for  some  sets  of  nu¬ 
merical  predicates,  but  not  for  all.  In  fact,  it  fails  for  the  set 
Af  =  {  +  ,  *}.  This  set  of  predicates  is  particularly  important 
because  FO[+,  *]  corresponds  to  the  most  natural  uniform 
version  of  the  circuit  complexity  class  AC^  [BIS90]. 

Our  counterexample  to  the  Crane  Beach  conjecture  makes 
use  of  the  well-known  but  somewhat  counterintuitive  ability 
of  FO[-\-,  +]  formulas  to  count  letters  up  to  numbers  poly- 
logarithmic  in  the  input  size: 

3.3  Definition  (Definibility  of  Counting) 

Let  J{n)  <  n  be  a  nondecrcasing  function  from  N  to  N.  We 
say  that  a  logical  system  can  count  up  to  f{n)  if  there  is  a 
formula  ip  such  that  for  every  n  and  for  every  w  6  {0, 1}", 

w  \=  ip(c)  ■t=>  c  < /(n)  A  c  =  #i(w), 

where  jji  {lu)  is  the  number  of  ones  in  w. 

We  will  need  to  consider  two  functions  with  similar  nota¬ 
tion.  We  write  the  base-two  logarithm  of  n  as  Ign,  the 
fc’th  power  of  this  logarithm  as  (Ign)*^,  and  the  fc’th  iter¬ 
ated  logarithm  as  Ig**^'  n.  For  example,  Ig*^'  n  is  the  same 
as  Ig(lgn). 

3.4  Proposition  ([AB84,  FKPS85,  DGS86,  WWY92]) 

The  system  FO[-\-,  =»;]  can  count  up  to  (Ign)^'  for  any  k.  If 
/(n)  =  (lgn)“i^^  and  Af  is  any  set  of  numerical  predi¬ 
cates,  then  FO[<,Af]  cannot  count  up  to  f(n). 

3.5  Theorem 

There  is  a  language  L  with  a  neutral  letter  that  is  definable 
in  FO[-\-,  *]  but  not  in  FO[<]. 

Proof: 


We  define  a  language  A  on  alphabet  {0,1,  a}  as  follows. 
For  each  positive  integer  k,  A  will  contain  a  string  con¬ 
sisting  of  the  2*-'  binary  strings  of  length  k,  in  order,  sep¬ 
arated  by  fl’s.  The  total  length  of  the  A;’th  string  in  A  is  thus 
-b  1)  —  1.  The  first  three  strings  in  A  are  thus  Ool, 
OOaOlalOall, and 

OOOflOOlaOlOaOllolOOalOlallOallL 

Our  desired  language  B  has  alphabet  {0,  l,a,e}  and  is  sim¬ 
ply  the  set  of  strings  lu  over  this  alphabet  such  that  the  string 
obtained  by  deleting  all  the  e’s  in  w  is  in  A.  Clearly  B  has 
a  neutral  letter  e,  as  inserting  or  deleting  e’s  cannot  affect 
membership  in  B.  Clearly  B  is  not  regular,  so  it  cannot  be 
in  It  remains  for  us  to  prove: 

3.6  Lemma 

B  is  definable  in  FO[d-,  +]. 

Proof: 

We  need  to  formulate  a  sentence  of  FCj-l-,  *]  that  will  hold 
for  a  string  exactly  if  it  is  in  B,  that  is,  exactly  if  its  non- 
neutral  letters  form  a  string  in  A.  Recall  that  a  string  w  is  in 
A  exactly  if  for  some  number  k,  w  consists  of  the  2’"  binary 
strings  of  length  k,  in  order,  separated  by  o’s. 

Our  sentence  will  assert  the  existance  of  a  number  k  such 
that  the  input  string,  with  e’s  removed,  is  the  Ic’th  string 
in  the  language  A.  Since  the  length  of  the  fc’th  string  in 
A  is  exponential  in  fc,  and  a  valid  input  string  must  be  at 
least  as  long,  any  valid  k  must  be  at  most  Ign.  Therefore  by 
Proposition  3.4,  the  system  FO[+,  *]  is  able  to  count  letters 
in  any  interval  in  the  input  string  up  to  a  limit  of  k. 

We  first  assert  that  there  arc  exactly  k  O’s  and  no  I’s  before 
the  first  a.  exactly  k  O’s  and  Ts  between  each  pair  of  a’s, 
exactly  k  I’s  (and  no  O’s)  after  the  last  a.  It  then  remains  to 
assert  that  each  string  of  O’s  and  I’s  between  two  o’s  is  the 
successor  of  the  previous  one.  To  do  this,  we  assert  that  for 
every  position  y  containing  a  0  or  1: 

•  If  there  is  a  position  w  left  of  y  such  that  there  is  a  0  or 
1  at  y  and  exactly  k  ~  1  O’s  and  Ts  between  w  and  y, 

•  Then  w  has  the  same  letter  as  y  unless 

•  X  has  the  unique  a  between  x  and  y,  z  has  the  next  a 
to  the  right  of  a;  or  is  the  rightmost  position  if  there  is 
no  such  a, 

•  w  has  1,  there  are  no  O’s  between  w  and  x,  y  has  0,  and 
there  arc  no  Ts  between  y  and  z.  or 

•  w  has  0.  there  are  no  O's  between  ru  and  x,  y  has  1,  and 
there  arc  no  O's  between  y  and  c. 

This  proves  Lemma  3.6  and  thus  Theorem  3.5.  □ 
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Theorem  3.5  now  follows  immediately. 


□ 

The  construction  above  crucially  uses  the  fact  that  we  can 
count  up  to  Ign  in  FO[+,  *].  We  can  strengthen  the  con¬ 
struction  so  that  it  provides  a  counterexample  using  only 
counting  up  to  Ig^™'  n,  the  m  times  iterated  logarithm  of  n. 
However,  we  do  not  yet  know  whether  this  strengthening  is 
non-trivial  —  it  may  be  that  any  set  of  numerical  predicates 
that  allows  counting  up  to  Ig^™^  n  also  allows  counting  up 
to  Ign. 

3.7  Proposition 

If  the  system  FO[<,Af]  can  count  up  to  lg^"“^  n  for  some 
m,  then  there  is  a  language  L  with  a  neutral  letter  that  is 
definable  in  FO[<,J\f]  but  not  in  FO[<]. 

Proof: 

We  must  show  that  counting  up  to  n  suffices  to  pro¬ 
vide  a  counterexample  to  the  Crane  Beach  conjecture.  We 
give  the  construction  in  some  detail  for  m  =  2,  indieating 
how  to  generalize  it  to  arbitrary  values  for  m.  Take  the  al¬ 
phabet  {a,  b,  0, 1,  e}  and  for  every  k  consider  strings  of  the 
form  (6(0  -t-  l)*^(a(0  4- 1)'')*)*6.  Finally,  add  e  as  a  neutral 
letter,  a  and  6  are  used  as  markers,  and  we  interpret  the  0- 
1-substring  between  any  two  successive  markers  as  the  bi¬ 
nary  representation  of  some  number  between  0  and  2*^-1. 
If  X  is  any  position,  we  define  block{x)  to  be  the  interval 
between  the  two  markers  nearest  x,  and  num{x)  to  be  the 
number  represented  by  the  0-1  subsequence  in  block(x). 
Using  a  formula  that  can  count  up  to  k  and  the  construction 
from  the  proof  of  Theorem  3.5  we  can  write  formulas  ex¬ 
pressing  num{x)  =  num{y)  and  num{x)  -f  1  =  num{y), 
respectively.  We  can  now  express  easily  that  between  ev¬ 
ery  successive  occurences  of  two  6’s  each  number  from  0  to 
2*^  —  1  is  represented  precisely  once.  In  other  words,  this 
formula  stipulates  that  the  {a,  0,  l}-substring  between  two 
6’s  represent  a  permutation  of  the  numbers  0, . . .  ,  2*^  —  1. 
Finally,  we  write  a  formula  that  expresses  that  all  permuta¬ 
tions  are  represented.  Altogether,  our  formula  defines  the 
set  of  those  strings  which  consist  of  a  sequence  of  permuta¬ 
tions  of  the  numbers  0, . . .  ,  2*^-1,  for  some  fc,  containing 
every  permutation  at  least  once.  In  particular,  every  such 
string  has  length  f2(2^!),  whereas  counting  is  only  required 
up  to  fc  =  0(lglg(2*^!)). 

To  be  more  precise,  the  formula  forces  all  permutations  to 
be  present  as  follows.  It  says  that  for  every  represented 
permutation  tt  (starting,  say,  with  a  6  at  position  p),  and 
every  pair  of  positions  i,j  within  that  permutation  (i.e., 
p  <  i  <  j  <  p',  where  p'  is  the  smallest  position  >  p 
that  carries  a  6),  there  is  a  permutation  p  (between  6’s  at  q 
and  q',  say)  which  is  equal  to  tt,  except  that  num(i)  and 
num{j)  are  swapped.  In  what  follows  we  will  use  abbre¬ 
viations  first[x)  and  last{x)  for  formulas  which  express 


that  X  lies  in  the  first,  respectively  last,  block  of  some  per¬ 
mutation;  next{x)  will  denote  the  first  position  in  the  block 
directly  to  the  right  of  block{x).  Our  formula  for  i  and  j 
now  expresses  the  following  for  all  r,  s  such  thatp  <  r  <  p' 
and  q  <  s  <  q': 

•  num(r)  =  num(s)  — >■  num{next{r))  = 

num{next{s)) 

unless  last{r)  or  {nuTn{r),num{next{r))}  fl 
{num{i) ,  num{j)}  ^  0 

•  {num{r)—num{s)  A  num(next(r))=num{i))  —>■ 
num{next{s))=num{j) 

•  {num{r)=num{s)  A  num{next{r))=num{j))  —>■ 
num{next{s))=num{i) 

•  {rmm{s)=num[j)  A  -'last{s))  —>• 

num[next[s))=num{next{i)) 

•  {num{s)  =  num{i)  A-^last{s))  -A  num{next[s))  = 
num{next{j)) 

•  {first{r)  A  first{s)  A  num{r)  ^ 
num{r)  =  num{s) 

•  {first{r)  A  first{s)  A  num{r)  =  num{i)) 
num{s)  =  num{j). 

Thus  we  can  construct  the  desired  formula  for  m  =  2. 

We  can  then  iterate  this  process,  using  an  additional  marker 
symbol  c.  The  resulting  formula  stipulates  that  our  string 
represent  all  permutations  of  all  the  permutations  of  the 
numbers  0, . . .  ,  2*  -  1.  This  will  guarantee  that  string  to 
be  of  length  f2(((2'')!)!),  etc.  □ 

It  is  not  difficult  to  code  the  languages  above  using  only 
two  non-neutral  letters:  Just  apply  the  homomorphism 
{a,  6, 0, 1,  e}*  {0, 1,  e}*  which  maps  e  to  e,  o  to  010, 

6  to  0110,  0  to  OHIO,  and  1  to  011110,  for  example.  How¬ 
ever,  with  only  one  non-neutral  letter  there  is  no  way  of 
defeating  the  conjecture. 

3.8  Theorem 

If  |yl|  =  2  then  for  every  set  M  of  numerical  predicates  and 
every  language  L  C  A*  with  a  neutral  letter  it  holds  that 
FO[<,k]^  L^FO[<\. 

Proof: 

Let  L  be  a  language  on  {l,e}  with  e  as  a  neutral  letter. 
Consider  the  set  of  numbers  n  such  that  1"  is  in  L  and  1"+^ 
is  not.  If  this  set  is  finite,  it  is  easy  to  see  that  L  is  regular 
and  definable  in  FO[<].  Otherwise,  we  will  show  that  no 
family  of  unbounded  fan-in  circuits  with  constant  depth  and 
polynomial  size  can  recognize  L  —  it  follows  from  [BIS90] 
that  L  is  not  definable  in  FO[<,M]  for  any  J\f. 
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For  these  particular  values  of  n,  any  circuit  deciding 
L  on  strings  of  length  2n  would  compute  a  symmet¬ 
ric  function  of  the  inputs  saying  yes  on  inputs  with  n 
I’s  and  no  on  inputs  with  n  -f  1  ones.  Following  the 
construction  of  [FKPS85],  a  constant-depth  poly-sizc 
combination  of  these  circuits  can  be  used  to  compute 
the  parity  function  on  inputs  of  this  size.  If  the  circuit 
deciding  L  had  constant  depth  and  polynomial  size,  then 
this  new  circuit  would  compute  the  parity  function  in  AC^ 
for  infinitely  many  input  sizes,  violating  [Ajt83,  FSS84].  □ 

Since  PARITY  is  a  non-star-frcc  regular  language  over 
{0, 1}*  and  has  a  neutral  letter.  Theorem  3.8  implies  the 
nonexpressibility  of  PARITY  in  first-order  logic  with  arbi¬ 
trary  numerical  predicates  (i.e.,  AC'’).  Note,  however,  that 
it  directly  uses  the  existing  proofs  of  the  nonexpressibility 
of  PARITY  to  get  this  result. 

On  the  other  hand,  the  following  special  ca.se  of  the  Crane 
Beach  conjecture  can  be  proved  directly: 

3.9  Theorem 

The  Crane  Beach  conjecture  holds  for  the  set  of  all  monadic 
relations. 

Proof: 

Let  L  be  a  language  with  a  neutral  letter  that  is  not  definable 
in  fO[<].  This  means  that  for  any  number  of  moves  k 
there  must  be  two  strings  y  e  L  and  z  ^  L  such  that  the 
Duplicator  wins  the  /c-movc  game  (using  only  <)  on  t/  and 
z.  By  adding  neutral  letters  we  can  make  y  and  z  have  the 
same  length  m. 

Now  let  M  be  any  monadic  predicate.  We  will  show  that 
L  is  not  definable  in  FO[<,Ar\  as  follows.  We  will  use  A/" 
to  construct  two  strings  u  £  L  and  v  ^  L  from  y  and  z  by 
suitable  padding  with  neutral  letters.  (The  length  of  u  and  v 
will  be  a  suitably  large  number  n  to  be  defined  below.)  Then 
we  will  show  how  the  Duplicator  can  win  the  fc-move  game 
on  u  and  v,  with  both  <  and  Af  as  numerical  predicates. 

The  predicate  Af  may  be  regarded  as  a  coloring  of  the  in¬ 
put  positions  from  1  to  n,  with  finitely  many  colors.  If  r 
and  s  arc  input  positions,  consider  the  colored  string  given 
by  the  interval  from  r  to  s,  with  each  input  position  hold¬ 
ing  a  neutral  letter.  For  any  two  such  strings,  consider  the 
fc-move  game  with  only  <  as  numerical  predicate  and  the 
colors  considered  as  the  input.  Let  two  strings  be  consid¬ 
ered  equivalent  iff  the  Duplicator  wins  this  game  on  them. 
Since  the  language  defined  by  this  game  is  regular,  there  arc 
only  a  finite  number  of  equivalence  classes.  We  now  define 
a  colored  undirected  graph  whose  vertices  arc  these  n  input 
positions  and  where  the  color  of  the  edge  from  position  r 
to  position  s  represents  the  equivalence  class  of  the  colored 
string  for  that  interval. 

By  the  Erdos-Szckercs  Theorem  [ES35],  as  long  as  n  is 
greater  than  where  d  is  the  number  of  edge  colors,  there 


must  be  a  monochromatic  path  in  the  graph  of  length  at  least 
m.  We  create  u  from  y,  and  v  from  z,  by  placing  the  letters 
of  the  shorter  strings  in  the  locations  given  by  the  vertices 
of  these  path  (the  “special  locations”),  and  making  all  other 
letters  neutral.  We  mu.st  now  explain  how  the  Duplicator 
can  win  the  game  with  <  and  Af  on  the  strings  u  and  v  (the 
“Big  Game”). 

The  Duplicator  will  model  the  Big  Game  by  a  series  of 
“small  games”,  where  she  already  has  a  winning  strategy 
for  each.  One  small  game  is  played  on  the  strings  y  and 
z  using  only  <,  and  there  is  another  small  game  (using  < 
and  color  only)  for  each  interval  between  special  locations. 
Whenever  the  Spoiler  moves  in  the  Big  Game,  the  Dupli¬ 
cator  translates  this  move  into  the  y-z  small  game  by  mov¬ 
ing  to  the  position  matching  the  next  special  position  to  the 
right.  She  also  translates  it  into  the  small  game  for  that  inter¬ 
val.  The  Duplicator’s  reply  in  the  Big  Game  is  determined 
by  her  correct  move  in  the  y-z  game,  and  her  correct  move 
in  the  special  small  game  for  that  particular  interval. 

After  k  moves  Delilah  must  win  the  original  Small  Game 
and  all  the  interval  Small  Games,  as  she  has  made  at  most 
k  moves  in  each.  It  is  ca.sy  but  tedious  to  look  at  the  input 
predicates,  order,  equality,  and  position  color  in  the  Big 
Game  and  verify  that  Delilah  has  won  that  as  well.  □ 

We  can  use  Theorem  3.9  to  derive  the  following  interest¬ 
ing  generalization  of  the  nonexpressibility  of  PARITY.  But 
again,  we  do  not  get  an  independent  proof  of  this  fact  be¬ 
cause  the  existing  proofs  arc  used  crucially  to  obtain  the 
rc.sultsin  [BCST92]. 

3.10  Corollary 

The  Crane  Beach  conjecture  holds  for  all  regular  languages. 
That  is,  for  every  set  Af  of  numerical  predicates  and  every 
regular  set  L  with  a  neutral  letter  it  is  true  that  that  L  G 
FO[<,A']  ^  L  G  F(9[<]. 

Proof: 

This  follows  from  Theorem  3.9  and  the  fact,  proven 
in  [BCST92],  that  every  regular  language  definable  in 
F0[<,A/]  (using  any  .set  Af  of  numerical  predicates)  is 
definable  in  FO[<,  {modi,  /  p  G  N}],  where  modi,{i)  is 
lruciffi  =  0  mod  p.  □ 

Although  according  to  Theorem  3,9  the  Crane  Beach  con¬ 
jecture  holds  for  the  set  of  all  unary  relations,  it  is  not  true 
for  all  binary  relations,  since  FO[<,  -f-,  *]  —  FO[<,  Bit], 
c.f.,  |Imm98].  In  fact,  it  already  fails  for  the  set  of  all  unary 
functions,  or  for  the  set  of  all  linear  orderings.  This  follows 
from  the  existence  of  a  unary  function  /  :  N  ->  N  (see 
the  proof  of  Theorem  3  in  [Sch97])  and  a  set  O  of  linear  or¬ 
derings  (in  fact,  four  order  relations  suffice,  cf.|ScScl)  such 
that  FO[<,  -b,  =^]  =  FO[<,  Bit]  =  FO[<,  /]  =  FO[<,0]. 
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We  can  also  consider  special  cases  of  the  Crane  Beach  con¬ 
jecture  based  on  restrictions  on  the  type  of  logical  formulas 
allowed.  For  example,  with  arbitrary  sets  of  numerical  rela¬ 
tions  the  conjecture  does  hold  for  Boolean  combinations  of 
Si-formulas: 

3.11  Theorem 

Let  A/"  be  a  set  of  numerical  predicates,  and  let  L  be  a 
language  with  a  neutral  letter  that  is  definable  in  the  class 
5C(Ei[<,A/l).ThenLe  BC(Si[<]). 

Proof: 

We  must  show  that  for  any  set  M  of  numerical  predicates 
and  any  language  L  with  a  neutral  letter,  L  is  definable  in 
5C(Si[<,  A/])  iff  it  is  definable  in  BC(Si[<]). 

Using  Theorem  2.2,  we  first  show  the  proposition  for  the 
special  case  M  =  {sue,  min,  max},  where  sue  is  the  suc¬ 
cessor  relation  suc{n,m)  iff  m  =  n+l,  {w,n)  [=  min(n) 
iff  a;=l,  and  {w,  n)  |=  max(n)  iff  n  —  |u;|. 

Let  e  be  the  neutral  letter,  and  assume  that  L  ^  BCCSi  [<]). 
Then,  for  every  k,  there  are  strings  u  €  L,  v  ^  L  such  that 
Duplicator  wins  the  single-round  fc-game  for  <  on  u,  v. 
We  can  assume  u  and  v  to  be  of  the  same  length  m  (if 
not,  append  \v\+k  e's  to  u  and  |u|-l-fc  e's  to  v).  We  con¬ 
struct  strings  U  from  u  and  V  from  v  such  that  U  S  L, 
V  ^  L,  and  Duplicator  wins  the  single-round  A:-game 
for  {<, sue, min, max)  on  U,V.  Then  L  ^  BC{'£,i[< 

,  sue,  min,  max]),  which  proves  the  assertion,  by  contrapo¬ 
sition. 

In  order  to  construct  U,  insert  2k— I  e's  between  each  pair 
of  adjacent  positions  in  u,  as  well  as  at  the  beginning  and 
the  end  of  u.  More  precisely,  U  =  (7i  •  •  •  Um2k+2k~i .  with 
Uj2k  =  Wj,  and  Uj2k+i  =  e,  for  any  j  <  m,  i  <  2k. 
Similarly,  we  construct  V  from  v.  Since  e  is  neutral,  we 
have  U  gL,V  ^L. 

Assume  that  Spoiler  chooses  positions  ai , . . .  ,  a*  in  (7  (the 
other  case  is  symmetric).  Some  (possibly  all,  or  none)  of 
the  (7a„  will  be  neutral  letters,  others  will  be  from  A  \  {e}. 
For  the  sake  of  notational  simplicity  we  will  assume,  with¬ 
out  loss  of  generality,  that  Uai,..  ■  ,Uag  £  A  \  {e},  and 
Ua.,+1  =  ■  •  ■  =  Uai,  =  e.  Then  each  aj  with  j  <  q  is  of 
the  form  Sj2k,  for  some  Sj  G  {!,...  ,m}.  Now  Duplica¬ 
tor  simulates  a  move  of  Spoiler  in  the  game  for  <  on  u,  u 
in  which  Spoiler  pebbles  si, . . .  ,  s,  on  u,  and  finds  her  re¬ 
ply,  s'l , . . .  ,  s,  on  V,  according  to  her  winning  strategy.  She 
then  sets,  for  each  j  from  1  through  q,  bj  to  be  s}2fc.  Then 
for  each  j,  j'  <  qit  holds  that 

•  bj  7^  bji+1  and  aj  ^  aj--|-l, 

•  ^3  <  bj'  <:=>  Uj  <  Uji ,  and 

•  H,-  =  Vs'.  =  Us .  =  Ua^  . 


To  complete  this  move.  Duplicator  has  to  define 
bq+i,. ..  ,bk  such  that  =  ■  ■  ■  =  =  e,  and  that 

for  all  j,  j'  <  k 

®  bj  bj'  s  ^  Q, j  ^  Qij'f 

•  bj  =  bj'  +  l  ■t=4>  Oj  =  Oj'+l,  and 

•  bj  =  I  Uj  =  1,  bj  =  |F|  <=>  aj  =  \U\. 

Such  bq+i , . . .  ,  can  easily  be  found,  since  between  any 
two  different  bi,bj  with  i,j  <  q,  there  are  at  least  2fc-l 
positions  p  where  Vp  =  e. 

Now  let  Af  be  an  arbitrary  finite  set  of  numerical  predicates 
and  assume  that  L  ^  5C(Si[<]).  From  what  we  have 
just  shown  it  follows  that,  for  every  k,  we  can  find  strings 
u  G  L,  u  ^  L  of  the  same  length  m  such  that  Duplica¬ 
tor  has  a  winning  strategy  in  the  single-round  2A; 4- 2-game 
for  <,  sue,  min,  max  on  u,  v.  We  want  to  construct  strings 
U  and  V  by  inserting  neutral  letters  into  u  and  u,  respec¬ 
tively,  in  such  a  way  that  the  original  letters  of  u  and  v 
are  moved  onto  positions  U, . . .  ,im  which  are,  in  a  cer¬ 
tain  sense,  highly  indistinguishable.  To  this  end,  we  define, 
for  every  number  n,  a  coloring  of  subsets  of  size  h  <2k  of 
{!,...  ,  n}.  This  coloring  was  inspired  by  the  one  used  by 
Straubing  in  [StrOl],  in  his  proof  of  Theorem  8.  There  he 
used  the  following  extension  of  Ramsey’s  theorem,  which 
will  also  help  us  here: 

Theorem  Let  m,k,Ci, . . .  ,Ck  >  0,  with  k  <  m.  Let  n 
be  sufficiently  large  as  a  function  of  m  and  the  e’s.  If  all 
/i-element  subsets  of  {1, . . .  ,  n},  with  1  <  h  <  k,  are  col¬ 
ored  from  a  set  of  Ch  colors,  then  there  exists  an  m-element 
subset  T  of  (1, . . .  ,  n}  such  that  for  each  h  with  1  <  h  <  k 
there  exists  a  color  Kh  such  that  all  (i-element  subsets  of  T 
are  colored  Kh  ■  □ 

Let  T  =  (ti,  . . .  ,  r,}  be  the  set  of  all  atomic  formulas  over 
AC,  <  on  variables  xi ,.. .  ,Xk,yi,...  ,yh-  The  Af  ,< -type 
of  a  tuple  r  =  E  {1, ...,  n}*'  with  respect 

to  a  h-element  set  5  =  {pi  <  •  •  •  <  p/,},  a(r,  S),  is  the 
set  of  all  those  formulas  of  T  that  are  satisfied  when  x,  is 
interpreted  as  r,,  and  yj  as  pj,  for  i  <  k  and  j  <  h. 

We  now  color,  for  each  number  n  and  every  h  <  2k,  every 
/i-element  set  S  =  {pi  <  •  •  •  <  ph}  C  (1, . . .  ,  n}  with 
the  set  of  all  those  a  C  T  for  which  there  is  a  fc-tuple  r 
over  {!,...  ,  n}  such  that  r  has  AC-type  a  with  respect  to 
S.  Clearly,  for  every  h  <  2k  there  is  a  fixed  number  of 
possible  colors,  independent  of  n.  The  extension  of  Ram¬ 
sey’s  theorem  stated  above  tells  us  that  for  large  enough  n 
we  can  find  numbers  ii  <  ■  ■  ■  <  <  n  such  that,  for 

every  h  <  2k,  all  /i-element  subsets  of  (U, . . .  ,im}  have 
the  same  color.  We  now  insert  neutral  letters  into  u  in  such 
a  way  that  in  the  resulting  string  U  we  have  (7^^  =  Us,  for 
s  =  1, . . .  ,  m,  and  Ui  —  e  for  all  i  ^  {ii, ,  )„}.  In  the 
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same  way  we  construct  V  from  v.  Let  us  call  r’l, . . .  ,im  the 
special  positions. 

We  now  show  that  Duplicator  has  a  winning  strategy  in  the 
A:-game  for  <,Af  on  U,  V.  Assume  that  Spoiler  chooses 
a  =  ai, ...  ,ai;  in  [/  (again,  the  other  case  is  symmet¬ 
ric).  Then  Duplicator  finds,  for  every  aj  the  next  small¬ 
est  special  position  ig.,  i.e,  <  aj  <  isj+i-  Let 
S  =  {igj  ,isj+i/j  =  l,...,k}.  Duplicator  now  simulates 
a  move  of  Spoiler  in  the  2fc-l-2-gamc  for  <,  sue,  min,  max 
on  u,v,  in  which  Spoiler  plays  all  the  points  sj  and  Sj-l-1, 
for  j  =  1, . . .  ,  A:  on  M,  as  well  as  min  and  max.  Using 
her  winning  strategy  in  this  game.  Duplicator  finds  a  reply 
with  which  she  wins  the  game  for  <,suc.  Therefore,  wc 
can  safely  call  these  points  tj,tj  +  l,  for  j  =  1, . . .  ,k,  and 
we  know  that  u^.  =  Vt^,  for  j  =  I,...  ,k.  Let  T  be  the 
set  /  j  =  l,...,k}.  \T\  =  \S\  ^  h  <  2k,  so 

S  and  T  have  the  same  colour,  and  this  implies  that  there  is 
a  tuple  b  =  (6i, . . .  ,bk)  with  the  same  AC-type  as  a,  and 
with  oj{b,T)  —  w{a,S).  Duplicator  now  puts  her  pebbles 
on  . . .  ,bk  in  U.  We  have  to  check  the  winning  condi¬ 
tions.  By  construction,  a{a,  S  -  a{b,  T).  In  particular,  this 
implies  that 

•  [a-i, . . .  ,ak)  and  (6i, . . .  ,bk)  have  the  same  AA-type, 

•  <  o,j'  bj  <  bj',  for  all  j,j', 

•  if  aj  =  is.  then  bj  =  it-  hence  Uaj  =  «»■;  =  Vt^  = 
Vbj.  If  aj  is  not  of  this  form  then  <  Oj  <  is,  +  i, 
consequently,  ii.  <  bj  <  itj  +  i  and  Uaj  =  Vt,,  -  e. 

□ 

As  wc  have  seen,  with  addition  and  multiplication  first- 
order  logic  has  enough  expressive  power  to  defeat  the  neu¬ 
tral  letter.  Addition  alone  is,  in  many  ways  much  weaker 
than  addition  and  multiplication  together.  For  example, 
this  is  witnessed  by  the  fact  that  the  first-order  theory  of 
the  natural  numbers  with  -1-  and  is  undecidablc,  whereas 
Presburger  arithmetic,  the  first-order  theory  of  the  natural 
numbers  with  addition  only,  can  be  decided  using  quantifier 
elimination.  Also  note  that  at  least  our  technique  for  pro¬ 
ducing  a  counterexample  cannot  work  with  addition  only, 
since  it  is  well  known  (sec,  c.g.,  page  12  of  [Lyn82])  that 
FO[<,  -f]  cannot  count  up  to  any  non-constant  function. 

It  is  therefore  more  than  conceivable  that  addition  alone  is 
too  weak  to  make  the  conjecture  fail,  and  we  now  show  that 
this  is  indeed  the  case. 

3.12  Theorem 

Every  language  L  £  EO[<,  -f]  that  has  a  neutral  letter  is 
definable  in  FO[<]. 

As  indicated  in  the  introduction,  this  theorem  follows  from 
collapse  results  for  first-order  queries  over  finite  databases 


(c.g..  Theorem  5.5  in  [BST99]).  However  the  terminology 
in  which  these  results  are  formulated  is  rather  alien  to  our 
setting  here,  so  we  will  instead  use  a  recent  collapse  result 
on  infinite  databases  in  [LSOl].  First,  however,  let  us  give 
an  intuitive  explanation  of  the  main  idea  behind  the  proof. 
For  simplicity,  wc  concentrate  on  0-1-strings  u,  v  of  the 
same  (large)  si/x  and  discuss  what  Duplicator  has  to  do  in 
order  to  win  the  A-round  -I — game  on  u  and  v.  Let  A  be  the 
set  of  indices  a  for  which  Ua  =  1,  similarly,  B  =  {b  /  Vb  = 
1}.  As  in  previous  proofs,  we  will  work  with  a  set  Q  of 
indistinguishable  positions,  and  choose  u  and  v  such  that 
A,B  CQ. 

Assume  that,  after  i-l  rounds  have  been 

played  in  u,  and  6*^', . . ,  in  v.  Let  Spoiler  choose 
some  clement  a*'*  in  u.  When  choosing  6*^*  in  v.  Du¬ 
plicator  has  to  make  sure  that  any  Spoiler  moves  for  the 
remaining  k-i  rounds  in  one  structure  can  be  matched  in 
the  other.  In  particular,  this  means  that  any  sum  over  the 
behaves  in  relation  to  A  exactly  as  the  corresponding 
sum  over  the  b^A  behaves  in  relation  to  B.  For  instance,  for 
any  sets  J,  J'  C  {1, . . ,  f},  it  should  hold  that  there  is  some 
a  £  A  that  lies  between  J2jeJ 
only  if  there  is  some  b  £  B  that  lies  between  Xljej 
and  6*-^'*.  But  it  is  not  enough  to  consider  simple 

sums  over  previously  played  elements.  Since  with  0{r) 
additions  it  is  possible  to  generate  s  ■  a*'*  from  a^'\  for  any 
s  <  2'',  wc  also  have  to  consider  linear  combinations  with 
coefficients  as  large  as  this.  Furthermore,  since  Spoiler  is 
allowed  to  choose  cither  structure  to  move  in  each  time, 
it  is  necessary  to  deal  with  even  more  complex  linear 
combinations.  One  can  only  handle  all  these  complications 
because,  as  the  game  progresses,  the  number  of  rounds  left 
for  Spoiler  to  do  all  these  things  decreases.  This  means,  for 
instance,  that  the  coefficients  and  the  length  of  the  linear 
combinations  wc  have  to  consider  decrease:  after  the  last 
round,  the  only  relevant  linear  combinations  are  simple 
additions  of  chosen  elements. 

All  the  technical  details  necessary  to  make  this  strategy 
work  arc  worked  out  in  [Lyn82]  in  order  to  prove  that 
for  each  first-order  formula  with  addition  p  there  is  a  set 
Q  C  N  such  that  p  cannot  distinguish  between  subsets  of 
Q  if  they  arc  of  equal  cardinality,  or  both  large  enough. 
Drawing  on  Lynch’s  theorem,  in  [LSOl]  the  authors 
prove  a  theorem,  which,  specialised  to  our  setting  can  be 
formulated  as  follows. 

Theorem  ([LSOl],  Theorem  3.2) 

For  every  A  £  N  there  exists  a  number  r(A)  £  N 
and  an  order-preserving  mapping  g  :  N  — )■  N  such 
that,  for  every  signature  a  the  following  holds:  If 
cr^  and  (7^  arc  interpretations  of  a  over  N,  and  if 
n,m  £  N  with  (N,  then 

{n,q{a^\n))  =l  {n,q{a'^  ,m)).  □ 
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Here,  q{a’^,n)  is  short  for  a'‘’^,q{n),  where  = 

/Rea},  and  =  {q{i)  /  i  e  R^]. 

Proof  of  3 . 1 2 ,  usi  ng  the  abo  ve  theorem : 

Assume  that  L  ^  f'0[<],  and  let  u  =  ui  •••«„  G  L, 
V  =  vi . .  .Vm  ^  L,  such  that  u  v.  We  construct 

strings  U  e  L,  V  ^  L  from  u  and  v,  respectively,  by  in¬ 
serting  neutral  letters  in  such  a  way  that  Ug^i^  =  Ui  and 
V"^(j)  =  Uj,  fori  =  1, . . .  ,n,  j  —  1, . . .  ,m,  where  ^  is  as  in 
the  theorem,  u  and  v  define  a^-interpretations  a^  and  a\, 
respectively,  and  the  winning  strategy  of  Duplicator  on  u 
and  V  can  easily  be  extended  to  (N,  a^ ,n)  and  (N, <T'^,m): 
If  Spoiler  plays  a  position  Ui  <  n  on  (N,(T^,n),  this  cor¬ 
responds  to  a  move  on  u,  and  Duplicator  can  choose  her 
answer  according  to  her  winning  strategy  on  v.  If  Spoiler 
plays  a  position  a*  >  n  on  (N, (T^,n),  then  Duplicator 
replies  with  bi  :=  m+{ai—n).  (The  case  where  Spoiler 
plays  on  (N,  a^ ,  n)  is  completely  symmetric.)  Clearly,  this 
defines  a  winning  strategy  for  Duplicator.  Application  of 
the  theorem  above  gives  us  a  winning  strategy  for  Duplica¬ 
tor  in  the  k  round  game  for  {<,-!-}  on  (N, g((T^,n))  and 
(N,  q{a^  ,m)).  From  this,  we  obtain  a  winning  strategy  for 
Duplicator  in  the  k  round  game  for  {<,  +}  on  U  and  V: 
Every  move  of  Spoiler  in  U  is  translated  into  a  move  on 
(N, g(CT^,n)),  and  Duplicator’s  reply  on  (N, i7((7'^,m))  is 
translated  back  into  a  move  on  V.  The  winning  condition 
of  Duplicator  on  {N,q{a^,n))  and  {N,q{a^  ,m))  directly 
translates  into  the  winning  condition  for  Duplicator  on  U 
and  V,  thus  proving  that  U  =//  V.  □ 

4  Discussion 

Much  of  the  above  can  be  generalised  from  strings  to  arbi¬ 
trary  relational  structures  over  the  natural  (or  real)  numbers. 
This  programme  is  pursued  in  [LSOl].  With  regard  to  the 
questions  here,  the  following  problems  remain  open. 

•  It  would  be  very  good  to  have  a  proof  of  Theorem  3.8 
that  does  not  rely  on  [Ajt83,  FSS84].  However,  since 
Theorem  3.8  implies  the  nonexpressibility  of  PARITY, 
we  expect  this  to  be  very  difficult. 

•  What  is  the  status  of  the  conjecture  for  FO[<,*]? 
There  is  a  construction  of  Julia  Robinson  [Rob49] 
defining  addition  from  multiplication  and  the  succes¬ 
sor  operation,  but  in  our  context  this  only  suffices  to 
define  addition  on  some  numbers  (those  less  than  n^/^) 
from  multiplication  and  order  on  all  numbers.  We  con¬ 
jecture  that  some  variant  of  this  construction  will  suf¬ 
fice  to  disprove  the  Crane  Beach  conjecture  for  FO[< 

,  perhaps  by  showing  it  equivalent  to  FO[<,  -F,  *]. 

•  Can  we  find  a  set  of  numerical  predicates  that  allows 
us  to  count  up  to  Ig*"*^  n,  but  not  to  Ign?  What  about 


counting  up  to  even  smaller  functions?  We  conjecture 
that  the  Crane  Beach  conjecture  is  true  of  a  system  iff 
it  cannot  count  beyond  a  constant. 

•  Within  FO[<,-f,*],  we  can  consider  the  subclasses 
of  formulas  based  on  the  number  of  quantifier  alter¬ 
nations.  The  Ig-counting  operation  requires  S3,  and 
the  construction  of  the  counter  example  adds  a  few 
more  levels.  This  leaves  a  gap  between  the  upper 
bound  of  something  like  S5  in  Theorem  3.5,  and  a 
lower  bound  of  5C(Si)  in  Theorem  3.11.  Since  in 
BC(S2),  counting  is  only  possible  up  to  a  constant 
(cf.,  [FKPS85]),  it  is  conceivable  that  the  lower  bound 
can  be  improved. 

•  Theorem  3.12  places  limits  on  the  power  of  a  partic¬ 

ular  uniform  circuit  complexity  class,  an  “addition- 
uniform”  version  of  Can  we  use  these  tech¬ 

niques  to  place  limits  on  the  power  of  more  power¬ 
ful  uniform  versions  of  AC°  (without  using  the  non- 
uniform  lower  bounds)  or  on  addition-uniform  ver¬ 
sions  of  more  powerful  classes?  This  has  been  done 
for  one  such  class,  an  addition-uniform  version  of 
LOGCFL,  by  Lautemann,  McKenzie,  Schwentick,  and 
Vollmer  [LMSV99]. 

•  It  would  also  be  of  interest  to  study  the  conjecture  for 
certain  extensions  of  FO,  such  as  FO  with  unary  count¬ 
ing  quantifiers  or  FO  with  modulo  counting  quanti¬ 
fiers.  These  each  have  various  versions  depending  on 
the  numerical  predicates  available. 
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Abstract 

We  introduce  a  new  Ehrenfeucht-Frai'sse  game  for  prov¬ 
ing  lower  bounds  on  the  size  of  first-order  formulas.  Up 
until  now  such  games  have  only  been  used  to  prove  bounds 
on  the  operator  depth  of  formulas,  not  their  size.  We 
use  this  game  to  prove  that  the  CTL"*"  formula  Occur„  = 
E[Fpi  A  ¥p2  A  •  •  •  A  Fpn]  which  says  that  there  is  a  path 
along  which  the  predicates  p\  through  pn  occur  in  some  or¬ 
der,  requires  size  n!  to  express  in  CTL  Our  lower  bound  is 
optimal.  It  follows  that  the  succinctness  of  CTL+  with  re¬ 
spect  to  CTL  is  exactly  Q{n)\.  Wilke  had  shown  that  the 
succinctness  was  at  least  exponential  [Wil99]. 

We  also  use  our  games  to  prove  an  optimal  Q{n)  lower 
bound  on  the  number  of  boolean  variables  needed  for 
a  weak  reachability  logic  (TZC^)  to  polynomially  embed 
the  language  LTL.  The  number  of  booleans  needed  for 
full  reachability  logic  TZC  and  the  transitive  closure  logic 
FO^(TC)  remain  open  [1V97,  AIOO], 


1  Introduction 

We  introduce  a  new  Ehrenfeucht-Frai'sse  game  for  prov¬ 
ing  lower  bounds  on  the  size  of  first-order  formulas.  Previ¬ 
ous  such  games  only  proved  lower  bounds  on  the  quantifier 
depth  of  formulas. 

We  use  this  game  to  prove  that  the  CTL"*"  formula, 
Occur„  s  E[Fpi  A  Fp2  A  •  •  •  A  Fp„]  (1.1) 

requires  size  n!  to  express  in  CTL.  The  formula  Occur„  says 
that  there  exists  a  path  such  that  each  of  the  predicates  pi 
occurs  somewhere  along  this  path.  (E  is  the  existential  path 
quantifier:  there  exists  a  maximal  path  starting  from  the  cur¬ 
rent  point.  F  is  the  modal  quantifier:  somewhere  now  or  in 
the  future  along  the  current  path.) 

This  offers  a  quite  different  proof  and  improves  the  expo¬ 
nential  lower  bound  on  the  succinctness  of  CTL  compared 
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with  CTL"*"  [Wil99].  We  thus  prove  that  the  succinctness  of 
CTL+  with  respect  to  CTL  is  exactly  ©(n)!. 

We  prove  that  the  parse  tree  of  any  CTL  formula  express¬ 
ing  Occur„  has  at  least  n!  leaves.  This  bound  is  exactly  op¬ 
timal  because  the  following  formula  expresses  Occur„  and 
has  n!  leaves  in  its  parse  tree.  Here  we  use  [n]  to  denote 
{1,2,. ..,n}. 

Pn  =  \J  EFUii  A  \J  EF(^Pi2  A 

ti€[nj  i2€[n]-{ii} 

V  EF(  •••  AEFp,„)...)^ 

The  main  contribution  of  these  results  is  not  so  much 
the  introduction  of  the  new  formula-size  games,  as  their 
effective  use  proving  a  new  and  optimal  result.  Standard 
Ehrenfeucht-Fra'isse  games  are  played  on  a  single  pair  of 
structures  A,  B.  They  are  used  to  prove  lower  bounds  on 
the  quantifier  depth  of  a  formula  p  needed  to  distinguish  A 
from  B.  Our  new  game  works  on  a  whole  set  of  structures 
A,  B  where  all  of  A  satisfies  p  and  all  of  B  satisfies  ^p.  In 
a  standard  game,  the  pair  of  structures  A  and  B  may  differ 
on  a  disjunction:  (p  =  q  V  /3.  In  this  case  they  differ  on  a  or 
they  differ  on  /3  and  the  “or”  may  be  discarded.  However, 
in  the  formula-  size  game,  the  set  of  structures  A  must  be 
split  into  two  portions:  Ai  satisfying  q  and  A2  satisfying  (3. 
All  of  B  satisfies  -^a  and  -i/3.  Thus  the  game  on  {A,  B)  is 
shifted  to  a  pair  of  games,  (Ai,  B)  and  [A2,B). 

There  are  extensive  connections  between  the  computa¬ 
tional  complexity  of  a  problem  and  its  descriptive  complex¬ 
ity,  i.e.,  how  complex  a  formula  is  needed  to  describe  the 
problem.  Descriptive  complexity  is  measured  via  the  size, 
number  of  variables,  operator  depth,  etc.  of  the  requisite 
formulas  as  a  function  of  the  size  of  the  input  structures  be¬ 
ing  described  [Imm99]. 

The  formula-size  games  introduced  here  generalize  stan¬ 
dard  EF  games.  They  are  also  related  to  the  communica¬ 
tion  complexity  games  that  Karchmer  and  Wigderson  used 
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to  prove  lower  bounds  on  the  depth  of  monotone  circuits 
[Kar89]'.  In  the  past,  EF  games  have  been  useful  in  prov¬ 
ing  bounds  on  operator  depth  and  number  of  variables,  but 
they  have  not  been  used  to  prove  lower  bounds  on  the  size 
of  formulas.  This  has  been  a  crucial  lack,  which  the  present 
paper  takes  a  step  in  correcting. 

The  added  complication  of  formula-size  games  means 
that  we  must  build  up  considerable  machinery  to  u.sc  them 
to  prove  lower  bounds.  Such  lower  bounds  were  heretofore 
unattainable  for  general  first-order  formulas.  We  believe 
that  this  game  and  the  corresponding  methods  will  have 
many  applications. 

In  another  application  of  formula-size  games  we  show 
that  0(?i)  booleans  are  needed  to  translate  an  LTL  formula 
of  size  n  to  a  polynomial-size  formula  of  the  reachability 
logic,  7e£"'. 

This  paper  is  organized  as  follows:  In  §2  wc  provide  the 
necessary  background  in  logic  including  the  introduction  of 
transitive  closure  logic  (FO(TC))  which  provides  the  gen¬ 
eral  .setting  for  the  games  that  we  present.  In  §3  wc  review 
Ehrcnfcucht-Frai'ssc  games  and  present  the  new  formula- 
size  games  for  FO(TC).  In  §4  we  present  the  formula-size 
game  forCTL.  In  §5  wc  define  the  graphs  G„  over  which  wc 
prove  our  lower  bound.  In  §6  wc  prove  our  main  result,  the 
optimal  111  lower  bound  on  the  succinctness  of  CTL'*'  with 
respect  to  CTL.  In  §7  wc  prove  an  Q{ii)  lower  bound  on  the 
number  of  boolean  variables  needed  for  TZC^''  to  express 
Occur,,  in  polynomial  size.  In  Appendix  A  wc  dc.scribc  the 
language  CTL  and  in  Appendix  B  wc  describe  reachability 
logic  (TZC). 

2  Background 

In  this  section  wc  review  some  basic  definitions  con¬ 
cerning  finite  model  theory  and  transitive  closure  logic 
[Imm99]. 

The  language  C  consists  of  first-order  logic  with  unary 
relation  symbols  {71,,  :  n  e  N},  and  binary  relation  symbol, 
R.  By  the  size  of  a  formula,  wc  mean  the  number  of  nodes 
in  its  parse  tree,  i.c.,  the  number  of  occurrences  of  logical 
connectives,  quantifiers,  operators,  and  atomic  symbols. 

For  our  purposes,  a  Kripke  structure  is  a  finite  labeled 
graph: 

K.  =  (2.1) 

'  Karchnier  and  Wigdorson  gave  general  games  for  proving  lower 
bounds  on  circuit  depth;  but  they  proved  lower  bounds  only  using  a  mono¬ 
tone  version  of  their  games.  They  c.ast  their  games  as  a  communication 
game  in  which  two  sets  of  structures  differ  on  some  property.  Through 
successive  bits  of  cotnmunic.ation,  each  of  which  divides  one  of  the  sets  of 
structures  in  halt,  eventually  the  sets  are  reduced  to  a  collection  of  pairs 
where  each  pair  differs  on  a  particular  hit.  This  is  an.alogous  to  the  clo.sed 
nodes  of  our  formula  size  game,  in  which  each  pair  differs  on  a  particular 
atomic  formula. 


where  S  is  the  set  of  states  (vertices),  each  73,^  C  5  is  a 
unary  relation  on  5,  and  7?^  C  5^  is  the  edge  relation. 

First-order  logie  £  does  not  suffice  to  express  such  sim¬ 
ple  formulas  as, 

“There  is  a  path  from  where  we  are  (.t) 

(2  2) 

to  a  vertex  where  7317  holds.” 

For  this  reason  we  add  a  transitive  closure  operator  to 
fir.st-order  logic  to  allow  us  to  express  reachability  [Imm87]. 

Let  the  formula  ...  xi,,  7/1 , ...  17/;)  represent  a  bi¬ 
nary  relation  on  fc-tuples.  We  express  the  reflexive,  transi¬ 
tive  closure  of  this  relation  using  the  transitive-closure  op¬ 
erator  (TC),  as  follows:  ICxZy'p.  Let  FO(TC)  be  the  clo¬ 
sure  of  first-order  logic  under  the  transitive-closure  opera¬ 
tor.  For  example,  the  following  formula  expresses  Equation 
2-2:  (3?/)[(TC;r.y-R(-T,?/))(.T,t/)  A  7317(17)]. 

3  Ehrenfeucht-Fraisse  Games 

We  assume  that  the  reader  is  somewhat  familiar  with 
classical  Ehrcnfcucht-Frai'ssc  (EF)  games  [Ehr61,  Fra54, 
Imm99].  Typically  there  is  a  pair  of  structures  A,B  and 
two  players.  Samson  chooses  vertices,  trying  to  point  out  a 
difference  between  the  two  structures,  and  Delilah  replies, 
trying  to  keep  them  looking  the  same.  Typical  games  have 
a  certain  number  of  pebbles  corresponding  to  variables,  and 
rounds  corresponding  to  the  depth  of  nesting  of  quantifiers 
and  other  operators  such  as  TC. 

The  typical  fundamental  theorem  of  EF  games  is  that  De¬ 
lilah  has  a  winning  strategy  for  the  /c-pebblc,  ?n-movc  game 
on  A.  B  iff  A  and  B  agree  on  all  A'-variabIc,  depth-m  formu¬ 
las.  EF  games  arc  used  to  show  nonexpressivity  of  a  prop¬ 
erty  >F  as  follows:  Delilah  chooses  a  pair  of  structures  A,  B 
that  disagree  on  but  such  that  she  has  a  winning  strategy 
for  the  ?n-movc,  A-pcbblc  game.  It  then  follows  that  il>  is 
not  expressible  via  a  A-variablc,  depth-nr  formula. 

Wc  now  present  new  games  for  proving  lower  bounds  on 
formula  size  rather  than  depth,  Wc  first  define  the  formula- 
size  game  for  the  language  FO^(TC)  —  first-order  logic 
with  2  variables  and  the  transitive  closure  operator.  Wc 
chose  this  logic  because  it  is  simple,  expressive,  and  quite 
general.  It  is  easy  to  sec  how  to  generalize  the  game  and 
its  corresponding  fundamental  theorem  to  most  reasonable 
logics  by  adding  more  variables  and  other  operators.  In  the 
sequel  wc  will  specialize  the  FO'^(TC)  game  to  a  less  gen¬ 
eral  language,  CTL,  where  wc  will  prove  our  main  results. 

Definition  3.1  (FO^(TC)  Formula-Size  Game)  In  the 

formula-size  game,  Delilah  starts  by  picking  two  finite  sets 
of  structures:  Aq.  Bq-  The  root  of  the  game  tree  is  labeled 
Aq.  Dq.  (The  intuitive  idea  is  that  there  is  some  property  <I> 
such  that  every  structure  in  Aq  satisfies  <I>  {Aq  \=  <I))  and  no 
structure  in  B(,  satisfies  <I>  (Z?o  |=  ^<I>).  ) 
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At  each  move,  Samson  may  play  on  any  of  the  open 
leaves  of  the  current  game  tree.  (One  of  Samson’s  possi¬ 
ble  moves  will  be  to  close  a  leaf.)  Suppose  that  the  leaf  that 
Samson  chooses  to  play  on  is  labeled  with  the  pair  of  sets 
A,B. 

“not”  move:  Samson  switches  the  two  sets  letting  the  cur¬ 
rent  leaf  have  a  unique  child  labeled  B,  A. 

“or”  move:  Samson  splits  A  into  two  sets:  A  =  A'  \J  A". 
He  lets  the  current  leaf  have  two  children  labeled  A',  B 
and  A" ,  B. 

3  move:  Samson  chooses  a  variable  v  e  {x,y}.  He  then 
assigns  a  value  for  v  to  every  structure  A  £  A.  De¬ 
lilah  then  answers  by  assigning  a  value  for  v  to  every 
structure  B  £  B.  Let  A',  B'  be  the  two  sets  of  struc¬ 
tures  with  the  new  assignments  for  v.  The  current  leaf 
is  then  given  a  child  labeled  A',  B' . 

TC  move:  Samson  chooses  a  pair  of  previously  assigned 
variables  v,v'  £  {x,y}.  For  every  structure  A  €  A, 
Samson  then  chooses  a  sequence  of  vertices  from  A: 

=  ao,  ai,a2.  ■ .  ■ ,  at  =  v'-^.  Delilah  then  answers 
by  choosing  for  every  structure  B  £  B  a  similar  se¬ 
quence,  =  6o,  6i,  62, . . . , Of'  =  v'^ .  Samson  then 
chooses  a  single  consecutive  pair  biAi+i  for  each  B 
and  assigns  x  to  6j  and  y  to  b^+l.  The  current  leaf  is 
then  given  a  child  labeled  A'.  B’  where  B'  is  the  result 
of  these  new  assignments  for  each  structure  in  B.  A' 
consists  of  multiple  copies  of  each  structure  A  £  A, 
one  for  each  consecutive  pair  aj,aj+\  in  the  sequence 
for  A  chosen  by  Samson  and  with  x  assigned  to  aj  and 
y  assigned  to  aj+i. 

The  idea  behind  this  move  is  that  Samson  is  assert¬ 
ing  that  every  structure  in  A  satisfies  TCa:.y(5)(?;,  u') 
and  no  structure  in  B  does.  He  thus  presents  what  he 
claims  is  a  d-path  from  u  to  v'  for  each  structure  A  in 
A.  Delilah  answers  with  a  supposed  S  path  from  v  to 
v'  for  every  B  in  B.  Samson  must  then  challenge  one 
pair  bi,  6,+  i  in  each  of  Delilah’s  supposed  5  paths.  He 
is  in  effect  saying  6,:+i)”.  At  the  end  of  this 

move,  every  structure  in  A'  should  satisfy  6{x,y)  and 
no  structure  in  B'  should. 

atomic  move:  Samson  chooses  v,v'  £  {a:,?/}  and  an 
atomic  formula  a{v,  v').  (a  can  be  u  =  v',  R{v,v') 
or  Pi{v).)  Samson  can  only  make  this  move  if  every 
structure  in  A  satisfies  a(v,  v')  and  no  structure  in  B 
does.  In  this  case,  the  current  leaf  is  closed. 

The  object  of  the  game  for  Samson  is  to  close  the  whole 
game  tree  while  keeping  it  as  small  as  possible.  Delilah  on 
the  other  hand  wants  to  make  the  tree  as  large  as  possible. 


Delilah  may  make  multiple  copies  of  the  structures  in  B 
before  any  of  her  moves.  For  this  reason,  there  is  an  obvious 
strategy  for  Delilah  that  is  optimal,  namely  do  everything: 
in  answer  to  an  existential  move,  make  a  copy  of  B  for  each 
vertex  in  B  and  reply  with  that  vertex.  Similarly,  in  answer 
to  a  TC-move,  Delilah  can  make  enough  copies  of  B  and 
answer  with  all  possible  sequences  without  repetitions  from 
V  to  v'.  □ 

The  reason  that  Delilah  is  allowed  to  make  multiple 
copies  in  the  size  game  is  that  otherwise  Samson  need  not 
play  relevant  parts  of  the  minimal  formula  separating  A  and 
B.  For  example,  suppose  that  A  =  {A}  and  B  =  {B} 
each  consist  of  a  single  structure.  Suppose  that  the  smallest 
formula  true  of  A  but  not  B  is, 

3x3y{pi{x)  <^piiy)  A  p2ix)  P2{y)  A 
Pn{x)  ^  Pn{y)), 

i.e.,  A  has  two  points  agreeing  on  all  n  predicate  symbols, 
but  B  does  not.  If  Delilah  could  not  make  duplicates,  then 
Samson  could  just  choose  the  relevant  x  and  y  in  A  and 
Delilah  would  have  to  answer  with  a  single  pair  from  B. 
Then  either  the  x’s  or  the  y’s  would  differ  on  some  predicate 
symbol  pi  and  Samson  could  close  a  game  tree  of  size  3, 
rather  than  n. 

The  fundamental  theorem  of  the  formula-size  game  is: 

Theorem  3.2  Samson  can  close  the  game  started  at  Aq  ,  Bq 
in  a  tree  of  size  s  iff  there  is  a  formula  S  FO^(TC)  of  size 
at  most  s  such  that  every  structure  in  Aq  satisfies  ip  and  no 
structure  in  Bq  does. 

Proof:  Suppose  that  p  of  size  s  separates  Aq  and  Bq.  Then 
Samson  can  “play  ip”  and  a  closed  game  tree  of  size  s  will 
result.  Playing  p  means  the  following.  Suppose  that  A\=  p 
and  B  |=  -^p. 

p  =  Samson  plays  the  “not”  move.  In  the  resulting 
leaf  A'  \=  Ip  and  B'  \=  ^ip. 

p  =  tpV  p:  Samson  plays  the  “or”  move  letting  A'  be  the 
subset  of  A  satisfying  and  A"  the  subset  satisfying 
p.  Thus  one  child  differs  on  ip  and  the  other  differs  on 
P- 

p  =  {3v)ilr.  Samson  plays  the  3  move  assigning  u  to  a 
witness  for  ip  in  every  structure  of  A.  Thus,  whatever 
Delilah  answers  we  have  that  A'  1=  ip  and  B'  |=  -^ip. 

p  =  TCx,y((5)('i;,  u'):  Samson  plays  the  TC  move  and 
as  argued  in  the  discussion  after  the  definition  of  this 
move.  A'  \=  5  and  B'  |=  -^5. 

p  is  atomic:  Samson  plays  the  atomic  move,  using  p  and 
succeeds  in  closing  this  leaf. 
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Conversely,  suppose  that  Samson  has  succeeded  in  clos¬ 
ing  the  game  in  size  s  and  that  Delilah  has  played  optimally. 
It  follows  that  the  resulting  game  tree  is  a  size  s  formula  sat¬ 
isfied  by  all  of  ^0  and  none  of  Bq. 

This  can  be  seen  inductively  from  the  leaves  of  the  closed 
game  tree.  For  clo.sed  leaf,  A  a  and  B  [=  ->0, 

where  a  is  an  atomic  formula,  i.e.,  has  size  one. 

Inductively,  assume  that  {A.B)  has  children  {A,,Bi) 
each  differing  on  a  formula  of  size  s,  where  z  =  1  for 
“not”,  3  and  TC  moves  and  i  —  1 , 2  for  the  “or”  move.  Here 
Si  is  the  size  of  the  subtree  rooted  at  {A,.  B,). 

“not”  move:  A  |=  ->01,  B  |=  r/fi  and  thus  they  differ  on  a 
formula  of  size  si  -t-  1. 

“or”  move:  A  |=  i/ji  V  B  j=  ^(V’l  V  1P2)  and  thus  they 
differ  on  a  formula  of  size  ,si  -f  ,S2  -1-  1- 

3  move:  A  [=  (3rj)oi,i?  |=  -'(3t;)ai,  and  thus  they  differ 
on  a  formula  of  size  si  -f  1.  Note  that  since  Delilah 
plays  optimally,  if  it  were  the  case  that  some  B  e  B 
satisfies  (3(-')c>i>  then  Delilah  would  have  chosen  the 
appropriate  witness  for  this  B  and  it  would  not  have 
been  the  case  that  Bi  \=  -'Qi. 

TC  move:  A  |=  TCa.,y(oi  )((’,(■'),  B  \= 

-'TC;,.,y(fVi )(-(;,  i/),  and  thus  they  differ  on  a  for¬ 
mula  of  size  .s'l  +  1.  By  the  definition  of  the  TC  move, 
since  Ai  |=  o  i,  wc  know  that  for  every  A  €  A,  there 
is  an  oi-path  from  to  v'^.  Furthermore,  if  there 
were  an  rvi-path  from  to  i/^,  for  some  B  €  B,  then 
Delilah  would  have  played  it  for  one  of  her  copies  of 
B.  Therefore,  no  matter  which  consecutive  pair  in  this 
path  Samson  challenged,  it  would  satisfy  Oi. 

Thus  Aq  and  Bq  differ  on  a  formula  of  size  s.  □ 


4  Definition  of  the  CTL  Game 

For  a  definition  of  CTL  see  the  appendix  or  [CGP99]. 
We  now  define  the  CTL  formula-size  game-.  This  is  a  re¬ 
striction  of  the  FO^(TC)  formula-size  game  (Definition  3. 1 ) 
as  follows. 

•  There  is  only  a  single  pebble  name: 

•  The  “not”  and  “or”  moves  arc  unchanged. 

•  The  atomic  move  is  unchanged  except  that  it  is  played 
only  using  atomic  formulas 7;,. 

’it  is  easy  to  generalize  this  also  to  the  CTL*  formula-size  game,  but 
we  leave  this  to  the  reader. 


•  The  3  and  TC  moves  are  replaced  by  the  following, 
played  on  a  leaf,  f,  labeled  with  the  pair  of  .sets  A,  B, 

EX  move:  For  each  A  e  A,  Samson  reassigns  x  to  a 
child  of  the  current  .t.  Delilah  answers  by  first  making 
as  many  copies  of  each  B  e  B  as  she  wishes.  For  each 
copy  B  €  B  she  assigns  x  to  a  child  of  the  current 
X.  The  resulting  node  labeled  zl',  B'  becomes  the  only 
child  off. 

EU  move:  For  each  A  £  A,  Samson  chooses  a  path 
of  length  zero  or  more:  .r:"^  =  ^  At  -  Delilah 

answers  as  above  with  a  path  .r^  =  60,  b\,. . . ,  for 
each  copy  she  makes  of  each  B  £  B.  Samson  is  trying 
to  assert  that  (z1,.t)  |=  E(aU/I),  i.e.,  that  {A,  a,)  '\=  a 
for  i  <  r,  and  {A,  a,.)  |=  p.  Presumably  this  holds  for 
all  of  Samson’s  chosen  paths  and  none  of  Delilah’s. 

In  the  .second  half  of  the  move,  Samson  divides  the 
paths  chosen  by  Delilah  into  two  sets.  For  the  first 
set  he  assigns  .r  to  some  b,  with  i  <  ,s'  and  puts  these 
structures  into  B\ .  For  the  second  set  he  assigns  x  to  6,, 
and  puts  these  structures  into  Bz-  Delilah  answers  by 
making  enough  copies  so  that  she  can  assign  x  to  each 
possible  point  in  Samson’s  paths,  When  she  assigns  x 
to  the  final  point  b,.  in  a  path,  she  puts  that  structure 
in  .42.  When  she  assigns  x  to  a  non-final  point  she 
puts  that  structure  into  A\.  The  node  (  now  has  two 
children  labeled  A\.B\  and  Az  -  B-z  respectively. 

Intuitively  what  has  happened  in  the  second  half  of  this 
move  is  that  for  those  paths  chosen  by  Delilah  whose 
final  points  do  not  satisfy  T,  Samson  chooses  this  point 
and  puts  the  structure  into  Bt.  For  those  paths  one 
of  whose  non-final  points  docs  not  satisfy  rv,  Samson 
chooses  this  point  and  puts  the  structure  into  B\.  At 
the  end  of  the  move  wc  have  that  A\  |=  o,  |= 
-■o.  A  )  \=  ft,  and  Bz  |=  -'/L  If  the  set  Bi  or  Bz 
should  happen  to  be  empty  then  that  node  is  considered 
closed. 

AU  move:  This  is  similar  to  the  EU  move  except 
that  the  first  half  of  the  move  now  has  two  parts:  (a) 
Samson  chooses  a  maximal  path  for  each  structure  in 
B,  and  Delilah  makes  copies  and  chooses  a  maximal 
path  for  each  copy  of  each  structure  in  A;  (b)  Samson 
chooses  a  finite  initial  segment  of  each  path  chosen  by 
Delilah  and  then  Delilah  chooses  a  finite  initial  .seg¬ 
ment  of  each  path  chosen  by  Samson.  Delilah  may 
make  copies  of  the  paths  chosen  by  Samson  in  order  to 
choose  more  than  one  initial  segment  from  each  path. 
The  second  half  of  the  move  is  the  same  as  for  the  EU 
move. 

It  should  be  clear  from  the  above  definition  and  the  proof 
of  Theorem  .4.2  that  the  following  theorem  holds: 
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Theorem  4.1  Samson  can  close  the  CTL  formula-size 
game  started  at  >lo,  Bo  in  a  tree  of  size  s  iff  there  is  a  for¬ 
mula  ip  e  CTL  of  size  at  most  s  such  that  every’  structure  in 
Aq  satisfies  <p  and  no  structure  in  Bq  does. 

5  Setting  Up  the  Playing  Field 

In  this  section  we  describe  the  graphs  on  which  we  will 
play  the  CTL  game  to  prove  our  main  lower  bound,  Theo¬ 
rem  6.1.  For  each  n  >  1,  we  will  build  two  sets  of  graphs 
^Oi-Bo  such  that  Ao  |=  Occur„  and  Bq  |=  -lOccur^.  For 
each  of  the  n!  possible  paths  that  might  satisfy  Occur„,  Aq 
will  include  one  graph  that  contains  this  path.  Furthermore, 
we  give  each  graph  in  Aq  and  Bq  copies  of  all  permuta¬ 
tions  of  length  n  -  1.  This  will  help  make  Aq  and  Bq  very 
difficult  to  distinguish. 

For  any  fixed  n  >  1  consider  the  following  directed 
graph,  Gn  =  {Vn,En).  Let  !![„]  be  the  set  of  all  permu¬ 
tations  TT  on  any  nonempty  subset  of  [n]  and  let  n„  be  the 
set  of  permutations  on  the  full  set  [n] .  The  vertices  of  G„ 
consist  of  the  union  of  two  sets,  14  =  r„  U 

I’n  =  {<7r  I  Tt  G  n[„]};  F„  =  {/„  I  TT  €  !![„]} 

We  represent  the  permutation  tt  G  Iljn]  as  a  1:1  map, 

TT  :  [|rng(7r)|]  rng(7r)  C  [n]  . 

For  any  such  permutation  tt  on  at  least  two  elements,  define 
its  tail,  tail(7r)  :  [|rng(7r)|  -  1]  ^  rng(7r)  -  {7r(l)}  where 
tail(7r)(i)  =  ■7r(z-|-l).  For  ease  of  notation,  let  =  tail(7r), 
and  in  general,  7r^’+^  =  tail*^(7r),  i.e.,  the  permutation  tt 
starting  from  item  fc  -t- 1. 

For  all  TT  G  !![„],  the  relation  P;r(i)  holds  of  vertex  <„. 
Also,  if  TT  is  a  permutation  on  at  least  two  elements  then 
holds  of  vertex  f„. 

The  node  has  edges  to  the  following  successors 
nodes: 

•  ta  ^  Tn  where  rng((T)  C  rng(7r)  -  {j},  for  some  j  G 
rng(7r),j  7r(l) 

•  fa  &  Fn  where  rng((T)  C  rng(7r)  -  {j},  for  some  j  G 
rng(7r) 

The  node  4  has  edges  to  all  the  successors  of  /„  together 
with  the  additional  successor  f ,^2 .  Furthermore,  every  ver¬ 
tex  in  14  has  an  edge  back  to  itself. 

Consider  the  following  sets  of  vertices  and  structures, 

Yn  =  {4  e  Tn  1  TT  G  n„ } 

Nn  =  {Ue  Fn  \  TT  e  n„} 

^0  =  {{GnAn)  I  t-ir^Yn} 

Bo  =  {(GnJ.)  \  UeNr,} 


The  idea  behind  G„  is  that  for  each  tt  G  n„,  and 
are  very  difficult  to  distinguish.  However,  observe  that. 

Lemma  5.1  For  any  tt  g  n„, 

(.Gjijln')  OcCUtTi,  but  {fArnf-n^  “'OcCUr,^ 

6  Playing  the  CTL  Game 

In  this  section  we  prove  the  following, 

Theorem  6.1  The  formula  Occur„  (Equation  1.1)  cannot 
be  expressed  in  a  CTL  formula  of  size  less  than  n\.  Thus, 
there  is  a  CTIL^  formula  of  size  0(n)  whose  smallest  equiv¬ 
alent  CTL  formula  has  size  n\. 

Corollary  6.2  The  succinctness  of  CTL+  with  respect  to 
CTL  is  exactly  ©(n)!.-^ 

By  Lemma  5.1  we  have  that  Aq  \=  Occurn  and  Bq  \= 
-■Occurn.  To  prove  Theorem  6.1  it  suffices  to  show  the  fol¬ 
lowing. 

Lemma  6.3  Samson  cannot  close  the  CT L-game  on 
(Aq,  Bq)  in  a  game  tree  with  fewer  than  n!  leaves. 

We  will  prove  Lemma  6.3  through  a  series  of  additional 
lemmas.  Since  there  is  only  one  structure  namely  G„  on 
which  we  are  playing  and  the  only  thing  that  matters  is 
where  x  is  assigned,  we  will  abbreviate  the  structure  A  for 
which  =  a  by  the  point  a.  Thus  a  tree  node  will  be 
labeled  A,  B  with  A  and  B  boths  sets  of  vertices  from  Gn- 
We  say  that  a  pair  {a,  b)  occurs  at  a  node  u  of  a  game 
tree  if  v  is  labeled  [A,  B)  and  a  e  A,  b  €.  B.  The  following 
lemma  is  obvious  but  useful: 

Lemma  6.4  If  a  pair  {a,  a)  occurs  anywhere  in  a  game 
tree,  then  that  tree  can  never  be  closed. 

Let  T  be  a  closed  game  tree  whose  root  is  labeled 
{Yn,Nn)  and  on  which  Delilah  and  Samson  have  both 
played  perfectly.  We  will  argue  that  T  has  at  least  n!  leaves. 

Lemma  6.5  Let  tt  G  !!„.  Then  there  is  a  branch  in  T  from 
root  to  leaf  along  which  the  following  pairs  occur  (in  this 
order), 

{l-Kl  f 7^)1  7  7  7  •  •  •  7  (4"  7  f 7T "  } 

Proof:  By  definition  of  >4,  (4,  /x)  occurs  at  the  root. 

Suppose  inductively  that  (4*^ ,  fiTi')  occurs  at  node  Vk  (and 
is  preceded  by  {t„:i ,  /^,  )  for  all  j  <  fc);  and  Vk  is  the  low¬ 
est  node  at  which  {t^^k^fj^k)  occurs.  If  fc  =  n,  then  the 
lemma  is  proved.  Suppose  that  fc  <  n.  In  this  case,  Vk  is  an 

^See  Emerson  and  Halpem  [EH85]  for  the  upper  bound. 
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open  node  since  t^k  and  both  satisfy  the  same  predicate 
symbol,  p„(A,). 

From  now  on,  let  us  assume  that  there  are  no  “not” 
moves,  but  that  instead  Samson  may  play  on  the  left  or 
on  the  right.  This  may  slightly  decrease  the  size  of  T  by 
removing  “not”  moves,  but  the  number  of  leaves  is  un- 
ehanged.  Note  that  an  “or”  move  on  the  right  is  really  an 
“and”  move,  and  an  E  move  on  the  right  is  really  an  A  move. 

Observe  that  if  Samson  plays  an  “or”  move  at  ut,  then 
the  pair  {t^k ,  f^k)  would  still  occur  at  one  of  u^.’s  children. 
Furthermore,  Samson  cannot  close  Vk-  Thus,  Samson  must 
play  one  of  the  following  moves:  EX,  EU,  AU. 

Recall  that  every  path  from  f.^  is  also  a  path  from 
Thus  if  Samson  plays  on  the  right,  stepping  off  to  some 
descendant  d,  then  has  the  identical  descendant  d  which 
Delilah  will  play.  It  follows  from  Lemma  6.4  that,  Samson 
must  play  on  the  left  at  vic- 

If  Samson  plays  EX  then  he  must  move  from  t^k  to  one 
of  its  successors.  The  only  successor  of  t^k  that  is  not  a  suc¬ 
cessor  of  f„k  is  t-^k  +  i.  Thus,  Samson  must  move  to 
and  Delilah  will  move  to  all  successors  of  ,  including 
fj^k  +  i.  Thus  {tjjk^  1 ,  f„k  +  i)  occurs  in  the  child  of  as  de¬ 
sired. 

Suppose  that  Samson  plays  AU.  Samson  starts  by  choos¬ 
ing  a  maximal  path  for  each  structure  on  the  left.  Delilah  an¬ 
swers  by  choosing  the  infinite  loop  on  the  current  vertex  for 
each  structure  on  the  right.  Recall  that  G„  has  a  self-loop 
at  each  vertex.  Now,  Samson  chooses  an  initial  segment  of 
each  infinite  self-loop.  Delilah  responds  by  choosing  the 
initial  segments  of  length  zero  from  Samson’s  paths.  The 
right  child  of  is  thus  labeled  exactly  the  same  as  Ci .  Thus 
it  is  not  useful  for  Samson  to  play  AU. 

Finally,  suppose  that  Samson  plays  EU.  He  chooses  a 
path  from  f^k  to  some  descendant  d.  Note  that  if  d  ^  t-i.  - 1 
then  d  is  also  a  descendant  of  f„k .  Thus  Delilah  will  answer 
with  the  path  consisting  of  a  single  step  from  f^-k  to  d.  If 
Samson  challenges  then  we  have  made  no  progress.  If 
Samson  challenges  d,  then  the  right  child  of  ty,-  contains 
the  pair  {d,  d)  and  thus  Delilah  wins.  Thus,  Samson  must 
play  the  path  from  t^k  to  i .  Delilah  will  answer  among 
others  with  the  path  from  f^k  to  and  .  i . /_n-i ) 
occurs  at  a  child  of  as  desired.  □ 

The  path  of  permutation  tt  which  is  guaranteed  by 
Lemma  6.5  to  occur  along  at  least  one  branch  of  T  may 
in  fact  occur  along  several  branches.  For  each  permutation 
TT  we  would  like  to  choose  a  particular  branch  as  the  repre¬ 
sentative  branch  of  tt.  If  {t^k.f^k)  occurs  at  v  along  this 
branch,  and  {tj.k,f^k)  still  occurs  at  one  of  u’s  children, 
then  we  follow  this  child,  i.c.,  we  take  a  branch  that  avoids 
making  progress  if  possible.  If  both  steps  make  progress,  or 
neither  do,  we  follow  the  left  child. 

Let  TT,  (T  be  distinct  elements  of  D,,.  In  the  next  lemma 
we  prove  that  the  branches  of  tt  and  a  must  diverge  at  some 


point  in  T.  By  this  we  mean  that  the  branches  start  together 
at  the  root,  but  eventually  separate  and  end  at  distinct  leaves. 
It  will  then  follow  that  there  arc  at  least  as  many  leaves  of 
T  as  elements  of  and  Lemma  6.3  and  Theorem  6.1  thus 
follow. 

Lemma  6.6  Let  tt,  it  be  distinct  elements  o/n„.  Then  the 
branches  of  tt  and  a  diverge. 

Proof:  Let  us  assume  for  the  sake  of  a  contradiction  that  the 
branches  of  tt  and  cr  coincide.  Let  k  be  the  first  place  that  tt 
and  a  differ,  i.e.,  7r(i)  =  a{i)  for  i  <  k  and  7r(A:)  f  a{k). 
We  know  that  (fir,  /it)  and  (fer,  /<t)  both  occur  at  the  root. 

The  branches  for  tt  and  a  may  be  moving  down  in  lock 
step,  i.e.,  (4. ,  /^, )  occurs  at  the  same  node  as  ,  f^,! )  or 
one  may  be  ahead  of  the  other,  e.g.,  (^^,  +  i , /^,  +  i )  occurs 
at  the  same  node  as  ,  /^,).  Let  us  a.s.sumc  that  they  arc 
in  lock  step,  or  tt  is  ahead  of  a  when  {t^kki ,  f„k-k\)  first 
occurs.  Let  be  the  lowest  node  on  the  branch  at  which 
{f^k ,  fak)  occurs.  Since  {t„k ,  f„k )  does  not  occur  as  a  child 
of  r’i-,  Sampson  must  play  either  EX  or  EU  at  the  node  Vk- 
There  arc  two  cases. 

Case  1 :  )  also  occurs  at  Vk-  Thus  Samson  must 

step  from  to  and  from  t^k  to  f^t  +  i  at  this  step. 
Since  7r(A-)  7^  a{k),f^k  ti  is  a  descendant  of  f„k  (andf^*  *  ' 
is  a  descendant  of  If  Sain.son  challenges  cither  of  these 
descendants,  then  we  have  the  same  point  on  both  sides  of 
a  node  in  T  and  Delilah  wins.  If  Samson  challenges  nei¬ 
ther,  then  {t„k,f„k)  occurs  at  a  proper  dcsccndcnt  of  Vk, 
contradicting  our  assumption. 

Case  2;  occurs  at  Vk  for  j  >  k.  Samson  must 

step  from  t„k  to  f„i. .  1  and  cither  leave  t^j  fixed,  or  step 
from  t-i  to  t-ik\.  Let  d  be  the  not-ncccssarily-propcr de¬ 
scendant  of that  Samson  steps  to.  Delilah  answers  with 
the  path  from  f„k  to  d.  Since  we  have  assumed  that  progress 
on  (7  is  made  at  this  node,  Samson  cannot  challenge  f„k. 
Thus  he  must  challenge  d  and  the  pair  {(Ld.)  occurs  at  the 
left  child  of  u^..  This  contradicts  our  assumption  that  T  is 
closed. 

Thus  we  have  proved  that  the  branches  of  tt  and  cr  cannot 
remain  together  after  the  second  one  has  moved  past  level 
k.  □ 

7  Lower  Bound  on  Booleans  in  Reachability 
Logic 

In  this  section  we  give  an  interesting  application  of 
formula-size  games  to  characterize  the  number  of  boolean 
variables  needed  in  a  reachability  logic.  In  [IV97]  it  is 
shown  that  CTL*  is  linearly  cmbcdablc  in  the  transitive  clo¬ 
sure  logic  FO^(TC).  Furthermore  in  [AIOO]  a  sublanguage 
of  FO"(TC)  called  reachability  logic  (TZC)  is  described. 
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CTL*  remains  linearly  embedable  in  TZC.  The  complex¬ 
ity  of  checking  whether  a  Kripke  structure,  /C,  satisfies  an 
TZC  formula,  ip,  is  0{\K,\\p\2'^'‘)  where  nj,  is  the  number  of 
boolean  variables  occurring  in  TZC.  Both  TZC  and  FO^(rC) 
may  contain  boolean-valued  variables  in  addition  to  their 
two  domain  variables.  Since  the  time  to  model  check  is 
linear  in  the  size  of  the  formula  and  the  size  of  the  struc¬ 
ture,  but  exponential  in  the  number  of  booleans,  information 
about  how  many  booleans  are  needed  is  important. 

The  boolean  variables  are  not  needed  to  embed  CTL; 
however  in  the  linear  embeddings  of  CTL*  in  TZC  and 
FO^(TC)  at  most  a  linear  number  of  boolean  variables  may 
be  used.  It  was  left  open  in  [IV97]  whether  any  such 
booleans  are  actually  needed.  It  was  shown  in  [AIOO]  that 
at  least  one  boolean  is  needed  to  embed  CTL*  at  all  in 
FO^(TC)  or  TZC.  Whether  more  than  one  such  boolean 
variable  is  needed  remains  open. 

In  this  section  we  use  a  size  game  for  a  weakened  ver¬ 
sion  of  TZC  which  we  call  TZC^ .  The  main  result  of  this 
section  is  that  for  the  formulas  Occur„  to  be  translated  to 
polynomial-size  formulas  in  TZC'^ ,  Q{n)  boolean  variables 
are  needed.  The  main  weakness  of  TZC^  is  that  we  do  not 
allow  new  unary  relations  to  be  defined.  We  also  require 
weak  adjacency  formulas  to  imply  R{x,y)  as  opposed  to 
R{x,  y)  V  R{y,  x)\/  x  =  y,  but  this  is  Just  for  convenience. 
It  can  be  shown  that  LTL  C  TZC^  but  CTL  g  TZC^’.  Due 
to  lack  of  space  we  do  not  give  a  full  explanation  of  TZC, 
directing  the  reader  instead  to  [AIOO],  (We  do  provide  the 
definition  of  TZC  and  a  few  examples  in  Appendix  B.) 

Our  original  motivation  in  trying  to  prove  lower  bounds 
on  the  formula  Occurn  was  to  characterize  how  many  bool¬ 
ean  variables  are  needed  in  the  translations  of  CTL*  to 
FO^(TC)  and  TZC.  In  this  section  we  are  only  able  to  prove 
a  good  lower  bound  for  translations  to  the  weaker  language 
TZC^ .  We  believe  that  even  this  partial  result  is  of  interest, 
and  we  suspect  this  approach  will  lead  to  a  similar  lower 
bound  for  the  full  TZC. 

Definition  7.1  A  weak  adjacency  formula  S{x,b,y,b')  is 
the  conjunction  of  R{x,  y)  with  a  boolean  combination  of 
the  booleans  b,  b'  and  the  unary  relations  Pi{x),  Pi(y).  De¬ 
fine  TZC^'  to  be  the  smallest  fragment  of  FO"(TC)  that  sat¬ 
isfies  the  following: 

1 .  If  p  is  a  unary  relation  symbol  then  p  e  TZC'". 

2.  TZC'",  then  e  TZC"-'  and  pA  fe  TZC'". 

3.  If  p  e  TZC'"  and  5{x,  b.  y,  b')  is  a  weak  adjacency  for¬ 
mula  then  the  following  formulas  are  in  TZC'": 

(a)  REACH((5)v? 

(b)  CYCLE((5) 


Semantics  of  TZC'"  : 

P  =  Pix) 

REACH(^)<p  =  3y(TC<5)(a;,0,  i/,T)  A  p[?//x]) 
CYCLE((5)  =  (TC^)(2;,0,x,T) 

□ 

As  an  example,  we  translate  Occur„  to  TZC'"  as  fol¬ 
lows:  Occur„  =  REACH(5„)true  where  (a:,  6,  ?/,()')  = 
C  (6,  Vp,(x))). 

The  idea  is  that  boolean  variable  bi  keeps  track  of 
whether  predicate  p,  has  ever  been  satisfied  in  the  current 
path.  We  can  reach  a  point  where  all  the  booleans  are  one 
iff  Occur„  holds. 

The  TZC'"  formula-size  game  is  very  similar  to  the  CTL 
formula-size  game.  In  the  Reach  move,  Samson  asserts  that 
REACH ((5)ip  holds  for  all  the  vertices  no  €  A.  Eor  each 
such  Vo  he  produces  a  path: 

(vo,bO),(vi,b^),...,(vr,b’') 

where  6°  =  0,  6’’  =  T,  and  R(vi,Vi+i)  holds  for  all  i  <  r. 
Delilah  answers  with  a  similar  path, 

for  as  many  copies  as  she  wishes  of  each  wq  €  B.  For 
each  of  Delilah’s  paths,  Samson  either  challenges  the  fi¬ 
nal  point,  and  puts  it  in  B2,  or  he  challenges  some 
pair  ((wj,  c'),  (u’j+i ,  c®+'))  and  puts  it  in  Bi.  Then  Deli¬ 
lah  1<^  A2  contain  all  the  vfs  and  Ai  contains  all  pairs, 
(n,;+i,6*+^)).  If  originally  A  and  B  differed  on 
REACH((5)!p  then  after  the  move,  Ai  and  Bi  differ  on  5 
and  A2  and  B2  differ  on  p.  Note  that  6  is  quantifier  free  and 
only  concerns  the  booleans  together  with  the  unary  predi¬ 
cates  true  at  the  two  points  of  each  pair.  In  the  game  we 
consider  below  Delilah  will  only  play  pairs  that  correspond 
to  pairs  played  by  Samson,  so  Samson  will  never  challenge 
a  pair,  but  rather  the  endpoint  of  each  of  Delilah’s  paths. 

The  Cycle  move  is  similar  to  the  Reach  move.  Since 
the  graphs  we  will  play  on  below  are  acyclic,  it  will  not  be 
useful  for  Samson  to  play  the  Cycle  move.  Let  the  TZCf 
game  be  the  TZC'"  game  in  which  the  tuples  of  booleans  are 
of  size  at  most  k. 

We  next  define  the  graph  Hn  on  which  we  will  play  the 
TZC'"  game.  These  are  simpler  than  the  from  Section  5 
because  we  only  need  an  exponential  lower  bound,  not  an 
n!  lower  bound.  Thus  we  only  need  consider  all  subsets  of 
the  n  propositional  variables,  not  all  possible  paths  through 
them. 

Let  Xn  be  the  set  of  all  proper  subsets  of  the  n  pred¬ 
icates.  For  any  element  e  of  X„,  let  5(e)  be  a  path  that 
visits  every  predicate  of  e  exactly  once,  and  then  visits  a 
blank  vertex.  Let  F{e)  be  a  path  that  visits  every  predicate 
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of  e  exactly  once.  The  order  of  the  predicates  in  F{e)  and 
5(e)  does  not  matter. 

Hn  contains  2”  -  1  “true”  vertices,  tg,  one  for  each  c  e 
Xn-  Node  te  starts  with  the  path  5(e),  and  then  from  the 
last  (blank)  vertex  —  call  it  —  there  is  an  edge  to  each 
first  vertex  of  F{f),  for  any  /  e  X,,  such  that  eU  f  ^  [rr] 
and  also  to  F(e)  where  e  =  [n]  -  e. 

Hn  also  contains  2"  —  1  “false”  vertices,  /r,  one  for  each 
e  £  Xn.  Node  /e  starts  with  the  path  5(e),  and  then  from 
the  last  (blank)  vertex  —  call  it  6'  —  there  is  an  edge  to  each 
first  vertex  of  F(/),  for  any  /  e  Xn  such  that  e  U  /  [?r]. 

Let  Tn  =  {te  \  e  £  X„};  F„  =  {/,  |  e  €  X„}. 
Clearly  T,,  |=  Occur^  and  F„  ^Occur„. 

Lemma  7.2  Samson  cannot  close  the  game  on 

(r„,  F„)  in  a  game  tree  with  fewer  than  2"/2^'  nodes. 

Proof:  Note  that  the  paths  from  F  and  arc  identical 
through  the  blank  vertices  6e,  6'  at  the  bottom  of  their  start¬ 
ing  paths,  5(e),  and  the  only  difference  after  that  is  that  h, 
has  an  edge  to  F(e).  Thus,  to  close  the  game  tree,  Samson 
must  play  a  scries  of  Reach  moves  from  F  to  b,-  ,  and  then 
into  F(e)  for  each  c.  £  Xn- 

The  key  observation  is  that  while  we  arc  standing  on  F , 
all  that  we  know  is  what  node  of  the  game  tree  we  arc  in, 
plus  the  current  values  of  our  k  booleans.  Indeed,  we  prove 
that  Samson  cannot  play  a  REACH  move  that  includes  a 
path  in  which  (F.  x)  is  an  intermediate  node,  and  also  in¬ 
cludes  a  path  in  which  {b,j,c)  is  an  intermediate  node,  for 
distinct  subsets  e  7^  g  and  the  same  A  -tupIc  of  booleans  r.  It 
follows  that  Samson  can  move  through  at  most  2^'  different 
6,.’s  at  the  same  time.  Our  lower  bound  will  then  follow. 

Suppose  for  the  sake  of  a  contradiction  that  for  distinct 
subsets  e,g  £  Xn,  Samson  plays  a  Reach  move  that  in¬ 
cludes  a  step  from  from  be  and  from  bg  at  the  same  node  of 
the  game  tree  and  that  the  booleans  associated  with  be  and 
bg  arc  identical. 

Since  e  f  g  wc  may  assume  that  eUgf  [?j],  otherwise 
interchange  e  and  g.  Delilah  answers  with  a  Reach  path 
from  fe  to  b[,  that  first  copies  the  booleans  on  Samson’s  path 
from  te  to  be.  Delilah  continues  this  path  to  F{g)  copying 
Samson’s  path  from  bg  to  F{g).  Since  each  step  in  Delilah’s 
spliced  path  is  identical  to  a  step  in  one  of  Samson’s  paths, 
Samson  cannot  challenge  any  of  the  steps.  Thus.  Sam.son 
must  challenge  the  bottom  of  Delilah’s  path.  However  this 
is  identical  to  the  bottom  of  Samson’s  path  from  tg. 

Thus  our  assumption  was  false,  so  at  most  2^'  /^  ’s  can 
move  from  their  blank  vertices,  be,  at  the  same  node  of  the 
game  tree.  Thus  there  must  be  at  least  (2"  —  l)/2^’  inter¬ 
mediate  nodes  of  the  game  tree.  Since  there  are  at  Ica.st 
n  leaves,  the  total  number  of  nodes  is  at  Ica.st  2’'/2^  as 
claimed.  □ 


Corollary  7.3  r2(  n)  booleans  are  required  to  express  the 
CTL'*'  and  LTL  formula  Occurs  as  a  polynomial-size  for¬ 
mula  ofTZC'^'. 

8  Conclusions  and  Future  Directions 

In  this  paper  we  have  introduced  Ehrcnfcucht-Frai'ssc 
games  on  the  size  of  formulas  rather  than  their  operator 
depth.  We  have  used  these  games  to  prove  a  new,  opti¬ 
mal  bound  which  exactly  characterizes  the  succinctness  of 
CTL"''  with  respect  to  CTI..  We  have  also  used  these  games 
to  prove  an  Q.{n)  lower  bound  on  the  number  of  booleans 
needed  to  translate  LTL  to  TZC"’ . 

The  formula-size  games  introduced  here  offer  promise  in 
settling  many  conjectures  in  descriptive  complexity.  In  par¬ 
ticular.  questions  about  true  complexity  involve  languages 
where  an  ordering  relation  on  the  universe  is  present.  In  the 
presence  of  ordering,  we  can  express  complex  properties 
using  low  operator  depth,  with  huge  disjunctions  over  all 
possible  input  structures  of  a  given  size.  Thus  bounds  on  op¬ 
erator  depth  are  not  helpful  here.  Bounds  on  size  would  be 
extremely  helpful.  The  formulas  involved  must  be  large,  as¬ 
suming  well-believed  complexity-theoretic  conjectures.  Al¬ 
though  the  size  game  is  combinatorially  complex,  we  expect 
that  the  methods  introduced  in  this  paper  will  help  make 
progress  towards  lower  bounds  for  languages  with  ordering. 

We  expect  that  the  lower  bounds  from  Section  7  can 
be  extended  to  the  full  reachability  logic,  TZC.  Another 
open  problem  was  suggested  by  one  of  the  referees:  Wilke 
showed  his  exponential  lower  bound  for  the  alternation-free 
//-calculus  which  properly  contains  CTL  |Wil991.  Can  our 
Theorem  6.1  be  similarly  extended  to  the  alternation-free 
//-calculus? 

Acknowledgments:  Thanks  to  Natasha  Alechina  and 
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A  Background  on  CTL 

A  popular  and  quite  expressive  language  for  Model 
Checking  is  computation  tree  logic  CTL*  [CGP99].  Here 
we  briefly  describe  CTL*  together  with  some  of  its  sublan¬ 
guages;  CTL  C  CTL+  c  CTL*  and  LTL  C  CTL*.  CTL 
and  CTL+  express  the  same  set  of  formulas,  but  CTL+  is 
more  succinct.  CTL  and  LTL  are  incomparable. 

CTL*  has  two  kinds  of  formulas:  state  formulas,  which 
are  true  or  false  at  each  state,  and  path  formulas,  which  are 
true  or  false  with  respect  to  a  maximal  path  through  some 
Kripke  structure,  IC.  The  following  is  an  inductive  defini¬ 
tion  of  the  state  and  path  formulas  of  CTL* . 


Definition  A.l  (Syntax  of  CTL*)  State  formulas  S  and  path 
formulas  P  of  CTL*  are  the  smallest  sets  of  formulas  satis¬ 
fying  the  following: 

State  Formulas,  S: 

the  boolean  constants  true  and  false  are  elements  of  S; 
fori  e  N, Pi  e  S\ 
if  ip  €  P,  then  Ep  e  S. 

Intuitively,  Ep  means  that  there  exists  a  maximal  path 
starting  at  the  current  state  and  satisfying  <p. 

Path  Formulas,  P: 
if  a  e  iS  then  a  £P-, 

if  <p,  V'  €  P,  then  -vp,  p  A^,  Xp,  and  pV'f  are  in  P. 

Intuitively,  Xp  means  that  p  holds  at  the  next  time  and 
plJ-tjj  means  that  at  some  time  now  or  in  the  future,  ip  holds, 
and  from  now  until  then,  p  holds.  □ 

Next,  we  formally  define  the  semantics  of  the  above  op¬ 
erators.  In  this  paper  all  structures  will  be  finite  and  acyclic 
except  perhaps  for  self-loops.  Thus  all  paths  will  be  finite, 
except  perhaps  for  an  infinite  loop  on  the  final  point.  A  max¬ 
imal  path  p  =  p\,p2, . .  ■  PiK  a.  mapping  from  [£]  to  states 
in  K.  such  that  for  a\\  i  <  P,  K,  \=  R{pi,pi+i)  and  such 
that  pe  either  has  no  successors  or  it  has  a  self-loop.  We  use 
the  notation  p®  for  the  tail  of  p,  with  states  pi,  p2, . . . ,  pi-i 
removed. 

Definition  A.2  (Semantics  of  CTL*)  The  following  are  in¬ 
ductive  definitions  of  the  meaning  of  CTL*  formulas: 


State  Formulas; 

(/C,s)  \=pi 

iff 

K  hpi(s) 

{IC,s)^Ep 

iff 

(3  path  p  s.t.  po  =  s)(/C,  p)\=p 

Path  Formulas: 

(/C,p)  1=  Q 

iff 

[K.,  Po)  1=  q;  for  q  e  5 

{K.,p)^p  Alp 

iff 

(/C,p)  ^  p  and  (/C,p)  |=  ip 

(/C,p)  1=  -.(p 

iff 

{lC,p)  p 

{IC,p)^Xp 

iff 

(K,,p^)\=p 

{fC,  p)  1=  pGip 

iff 

(3i)(/C,  p®)  1=  A  (Vj  <  %){K,  fP)  )=  p 

□ 

It  is  convenient  to  introduce  a  few  other  operators  com¬ 
monly  used  in  CTL*  all  of  which  may  be  defined  from  the 
above: 

Ap  =  -'E^(p  for  All  paths 

F(p  =  trueUip  some  time  in  the  Future 

Gp  =  -iF-'<p  Globally,  i.e.,  for  all  times  in  the  future 

The  language  CTL  is  the  restriction  of  CTL*  so  that  path 
quantifiers  (E,  A)  and  temporal  operators  (X,  U)  are  always 
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paired.  That  is,  the  allowable  operators  are  EU,  AU,  EX'*. 
The  importance  of  CTL  is  that  unlike  CTL*  it  admits  linear- 
time  model  checking  [CE81].  The  language  CTL"*"  allows 
boolean  combinations  of  the  temporal  operators  to  be  paired 
with  the  path  quantifiers.  CTL"*"  is  no  more  expressive  than 
CTL  but  it  is  more  succinct  [Wil99].  Our  main  result  shows 
exactly  how  succinct.  The  language  LTL  (linear  temporal 
logic)  consists  of  CTL*  formulas  that  have  exactly  one  path 
quantifier  E  or  A  and  that  begin  with  this  path  quantifier. 


B  Background  on  TZC 

Here  we  give  the  definition  of  Reachability  Logic  (72.£). 
See  [AIOO]  for  proofs  of  the  theorems  and  much  more  mo¬ 
tivation  and  discussion. 

Definition  B.l  An  adjacency  formula  (with  booleans)  is 
a  disjunction  of  conjunctions  where  each  conjunct  contains 
at  least  one  of  x  =  y,  Ra{x,  y)  or  Ra{y,  x)  for  some  edge 
label  a;  in  addition,  the  conjuncts  may  contain  expressions 
of  the  form  {^){bi  =  62),  (61  =  0),  (61  =  1)  and  p{x), 
where  6]  and  62  are  boolean  variables.  □ 

Definition  B.2  RC  is  the  smallest  fragment  of  FO^(TC) 
that  satisfies  the  following: 

1.  If  p  is  a  unary  relation  symbol  then  p  €  TZC;  also 
T ,  _L  ^  RC. 

2.  If  ip,  V’  €  RC,  then  €  RC  and  p  A  V'  €  RC. 

3.  If  p  e  RC  and  6  is  a  boolean  variable,  then  3bp  € 
RC. 

4.  If  p,  tj)  €  RC  and  q  is  a  new  unary  predicate  symbol, 
then  (let  q  —  pin  fj)  is  in  RC. 

5.  \fp€  RC  and  J(.t,  b,  y,  b')  is  an  adjacency  formula  (a 

binary  relation  between  two  n-tuples  (x,  61, . . . ,  6„_i) 
and  {y,  b[, . . . ,  then  the  following  formulas  arc 

in  RC: 

(a)  REACH((5)(p 

(b)  CYCLE(5) 


Semantics  of  RC  :  The  semantics  of  RC  is  defined  as 
follows.  In  each  case  below  assume  that  6{x,b,y,h')  is  an 
adjacency  formula. 


P 

(let  q  =  p  in  f) 
REACH(5)(p 
CYCLE(5) 


=  p(.t) 

=  V#/<7l 

=  3y(TC(5)(;i;,0,y,T)  A(p[y/x]) 

EE  (TC*d-)(.T.0,x,T) 


‘*We  do  not  need  AX  because  it  is  equivalent  to  -'EX^ 


□ 


Here  are  some  examples  of  formulas  in  RC: 

•  REACH(5)p  where  5{x,  (>i,  62,  y,  hi,  62) 

(i?a(x,y)  A  bib’z  =  00  A  hjhj  =  01)  V  {Rb{x,y)  A 
bib2  01  A  b\b'2  ~  11)  (this  is  (a;  b)p  of  PDL). 

•  Pi  =  REACH(i?)p(EFpofCTL*); 

•  P2  =  REACH(h)CYCLE(5),  where  5  is  R{x,y)  A 
q(x)  (EGq  of  CTL*); 

•  (let  q  ~  Pi  in  P2)  (EGEFp  of  CTL*). 

RC  is  a  logical  language  and  it  is  a  fragment  of 
FO^(TC).  However,  because  of  the  ‘let’  construct,  when 
we  talk  about  size  in  the  representation  of  RC,  we  are  re¬ 
ally  talking  about  circuits.  Thus  the  size  of  an  7^£-circuit 
may  be  logarithmic  in  the  size  of  the  smallest  equivalent 
FO^(TC)  formula.  This  allows  the  linear  size  embedding  of 
CTL*  which  presumably  does  not  hold  for  FO^(TC)  (with¬ 
out  a  circuit  reprc.sentation  or  an  extra  domain  variable  cf. 
[IV97]). 

Boolean  variables  however  add  extra  complexity,  which 
is  not  surprising  since  model  checking  CTL*  is  PSPACE 
complete  [SC85]. 

Theorem  B.3  There  is  an  algorithm  that  given  a  graph  G 
and  a  formula  p(x)  €  RC  marks  the  vertices  in  G  that 
satisf}-  p.  This  algorithm  runs  in  time  0(|G||:p|2”'')  where 
Ub  is  the  number  of  boolean  variables  occurring  in  p. 

Theorem  B.4  There  is  a  linear-time  computable  function 
g  that  maps  any  CTL*  formula  p  to  an  equivalent  formula 
g{p)  €  RC.  While  g{p)  has  only  two  domain  variables,  it 
may  have  a  linear  number  of  boolean  variables. 
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Abstract 

Light  Linear  Logic  (LLL)  and  its  variant,  Intu- 
itionistic  Light  Affine  Logic  (ILAL),  are  logics  of 
the  polytime  computation.  It  has  been  proved  that  all 
polynomial  time  functions  are  representable  by  proofs 
of  these  logics  (via  the  proof s-as-programs  correspon¬ 
dence),  and  conversely  that  there  is  a  specific  re¬ 
duction  (cut-elimination)  strategy  which  normalizes 
a  given  proof  in  polynomial  time  (the  latter  may  well 
be  called  the  polytime  “weak”  normalization  theorem). 

In  this  paper,  we  introduce  an  untyped  term  cal¬ 
culus,  called  Light  Affine  Lambda  Calculus  (Xla), 
generalizing  the  essential  ideas  of  light  logics  into  an 
untyped  framework.  It  is  a  simple  modification  of  \- 
calculus,  and  has  ILAL  as  a  type  assignment  system. 
Then,  in  this  generalized  setting,  we  prove  the  poly¬ 
time  “strong”  normalization  theorem:  any  reduction 
strategy  normalizes  a  given  Ala  term  (of  fixed  depth) 
in  a  polynomial  number  of  reduction  steps,  and  indeed 
in  polynomial  time. 

1  Introduction 

In  [9,  10],  Girard  introduced  Light  Linear  Logic 
(LLL)  as  an  intrinsically  polytime  logical  system:  ev¬ 
ery  polynomial  time  function  is  representable  by  an 
LLL  proof,  and  every  LLL  prooP  is  normalizable, 
via  cut-elimination,  in  polynomial  time.  Later  on, 
in  [2],  Asperti  introduced  a  simplified  system,  called 
Light  Affine  Logic,  by  adding  the  full  (unrestricted) 
weakening  rule  to  LLL.  Its  intuitionistic  fragment 
(ILAL)  has  been  particularly  well  investigated  (see 
[3]),  since  it  allows  a  compact  term  notation  for  proofs 
and  has  clear  relevance  to  functional  programming  is¬ 
sues. 

These  light  logics  provide  a  purely  logical  insight 
into  the  polytime  computation.  In  contrast  with 
other  polytime  logical  (type)  systems,  e.g.,  [15,  13, 
11,  8,  14],  light  logics  do  not  contain  any  built-in 

‘Research  Fellow  of  the  Japan  Society  for  the  Promotion  of 
Science. 

^  Of  lazy  conclusions,  i.e.,  those  free  from  3  and  &. 


data  type,  and  the  characterization  result  is  about 
the  complexity  of  cut-elimination,  which  has  been  a 
canonical  measure  for  estimating  the  complexity  of  a 
logical  system  in  proof  theory.  Also  notably,  light  log¬ 
ics  are  endowed  with  various  semantics  ([12,  4,  18]), 
which  could  lead  to  a  semantic  understanding  of  poly¬ 
time. 

An  important  problem  remains  to  be  settled,  how¬ 
ever.  By  inspecting  the  normalization  theorem  given 
by  [10],  one  observes  that  what  is  actually  shown 
in  that  paper  is  the  polytime  weak  normalizability, 
namely,  that  there  is  a  specific  reduction  strategy 
which  normalizes  a  given  LLL  proof  in  polytime.  The 
same  is  true  of  ILAL  ([2,  20,  3]).  It  has  been  left 
unsettled  whether  the  polytime  strong  normalizabil¬ 
ity  holds  for  these  light  logics,  namely,  whether  any 
reduction  strategy  normalizes  a  given  proof  in  poly¬ 
time.  The  primary  purpose  of  this  paper  is  to  give  a 
solution  to  this  problem. 

Having  such  a  property  will  be  theoretically  im¬ 
portant  in  that  it  gives  further  credence  to  light  log¬ 
ics  as  intrinsically  polytime  systems.  It  will  be  prac¬ 
tically  important,  too.  Through  the  Curry-Howard 
correspondence,  each  proof  of  light  logics  may  be  con¬ 
sidered  as  a  feasible  program,  which  is  executable  in 
polytime,  and  whose  bounding  polynomial  is  specified 
by  its  type  (formula).  In  this  context,  the  property 
will  assure  that  the  polytime  executability  of  such  a 
program  is  not  affected  by  the  choice  of  an  evaluation 
strategy.  It  will  also  provide  a  good  starting  point  for 
pursuit  of  efficiency  in  normalization. 

For  our  purpose,  it  is  reasonable  to  begin  with 
ILAL,  because  it  is  much  simpler  than  LLL.  How¬ 
ever,  the  term  calculi  proposed  for  ILAL  so  far  either 
have  a  complicated  notion  of  reduction  defined  by  a 
large  number  of  rewriting  rules  ([2,  20]),  or  involve 
notational  ambiguity  ([19,  3]).^  Therefore,  we  first 
need  to  devise  a  simple  and  accurate  term  calculus  for 


^  See  the  remark  in  9.1  of  [3],  Instead,  the  latter  paper 
presents  a  proofnet  syntax  for  ILAL,  based  on  which  several 
computational  properties  are  investigated. 
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ILAL  which  is  suitable  for  our  investigation.  Such  a 
simple  calculus  will  also  provide  a  better  understand¬ 
ing  of  the  computational  aspects  of  light  logics.  This 
is  our  secondary  purpose. 

In  this  paper,  we  introduce  a  new  term  calculus, 
called  Light  Affine  Lambda  Calculus  (Al-,-\),  which  em¬ 
bodies  the  essential  mechanisms  of  light  logics  in  an 
untyped  setting.  It  amounts  to  a  simple  modification 
of  A-calculus  with  modal  and  let  operators,  having 
very  simple  operational  behavior  defined  by  just  5 
reduction  rules  with  the  standard  notion  of  substitu¬ 
tion.  It  satisfies  the  subject  reduction  and  Church- 
Rosser  properties.  Ala  is  an  untyped  calculus,  but  re¬ 
markably,  all  its  v)ell-formcd  terms  are  polytimo  nor¬ 
malizable.  ILAL  is  then  re-introduced  as  a  Curry- 
style  type  assignment  system  for  Ala.  There  are  a 
number  of  reasons  for  adopting  this  pre.sentation. 

1.  First  of  all,  to  design  a  truly  polytime  (rather 
than  just  polystep)  polymorphic  calculus,  one 
must  give  up  a  Church-style  term  syntax  with 
embedded  types:  a  universal  quantifier  may 
bind  an  arbitrary  number  of  type  variable  occur¬ 
rences,  and  thus  iterated  type  instantiations  (A 
reductions)  may  easily  cause  exponential  growth 
in  the  size  of  types. ^ 

2.  An  untyped  polytime  calculus  deserves  investi¬ 
gation  in  its  own  right.  (This  program  was  ad¬ 
vocated  in  the  appendix  of  [10],  but  has  not  been 
developed  so  far.) 

3.  The  notion  of  well-formedness,  rather  than  ty- 
pability,  neatly  captures  the  syntactic  conditions 
for  being  polytime  normalizable. 

4.  Last  but  not  least,  typability  in  ILAL  is  pre- 
sumably  intractable,'*  while  well-formedness  is 
checked  very  easily  (in  quadratic  time). 

Then,  in  this  generalized  setting,  we  prove 

•  The  Polystep  Strong  Normalization  Theorem: 
every  reduction  sequence  in  Ala  has  a  length 
bounded  by  a  polynomial  in  the  size  of  its  ini¬ 
tial  term  (of  fixed  depth). 

Proofiints  (of  LLL)  contain  foiiniila.s.  Hence  proofnots 
thcm.selves  arc  not  polytinie  normalizat)lo.  A  solution  sug¬ 
gested  by  [10]  is  to  work  with  untyped  proofnets  (witli  for¬ 
mulas  erased)  in  the  actual  computation.  When  the  conclu¬ 
sion  is  lazy,  the  formulas  can  be  automatically  recovered  after 
normalization,  and  such  formulas  are  not  exponentially  large. 
Our  approach  is  somewhat  similar,  in  that  we  work  with  an 
untyped  formalism  in  the  actual  computation  and  supply  it 
with  a  tyi)c  assignment  system. 

The  problem  is  undecidable  for  System  F  in  the  Curry  style 

([22]). 


•  The  Polytime  Strong  Normalization  Theorem: 
every  reduction  strategy  (given  as  a  function  or¬ 
acle)  induces  a  normalization  procedure  which 
terminates  in  time  polynomial  in  the  size  of  a 
given  term  (of  fixed  depth). 

It  follows  that  every  term  typable  in  ILAL,  which  can 
be  viewed  a-s  a  structural  representation  of  an  ILAL 
proof  (with  formulas  era.sed),  is  polytime  strongly 
normalizable.  It  is  very  likely  that  essentially  the 
same  holds  for  LLL. 

The  rest  of  this  paper  is  organized  as  follows.  We 
introduce  Ala  in  Section  2  and  ILAL  (as  a  type  as¬ 
signment  system)  in  Section  3.  In  Section  4  we  give 
the  main  part  of  the  polystep  strong  normalization 
theorem.  The  theorem  itself  appears  in  Section  5, 
as  well  as  its  direct  corollaries,  namely  the  Church- 
Ro.sser  property  and  the  polytime  strong  normaliza¬ 
tion  theorem.  In  Section  6  we  discuss  the  polytime 
strong  normalizability  of  LLL.  We  also  discu.ss  the 
interpretability  of  polytime  type  systems  based  on 
safe  recursion  in  Ala. 

2  Light  Affine  Lambda  Calculus 

In  this  section  we  set  up  Ala.  We  begin  by  giving 
the  set  PT  of  pseudo-terms  (in  2.1).  Our  goal  is  to 
define  the  set  T  of  well-formed  terms  (in  2.2)  and  the 
notion  of  reduction  (in  2.3). 

2.1  Pseudo-terms 

Let  x,y,z  . . .  range  over  term  variables. 

Definition  2.1  The  set  VT  of  pseudo-terms  is  de¬ 
fined  by  the  following  grammar: 

t.u  ::=  X  I  \x.t  I  tu  \  \t  \  let  be  \x  in  t 
I  §t  I  let  u  be  §.7:  in  t. 

In  addition  to  the  standard  constructs  such  as  A- 
abstraction  and  application,  we  have  two  boxes,  \t 
and  §f,  and  two  let  operators.  Boxes  induce  a  strati¬ 
fied  structure  on  expressions.  Interaction  of  boxes  is 
enabled  by  let  operators. 

In  the  sequel,  symbol  j  stands  for  either  !  or 
§.  Pseudo-terms  [Xx.t)  and  (let  u  be  f  x  in  t)  bind 
each  occurrence  of  x  in  t.  As  usual,  pseudo-terms 
are  considered  up  to  a-equivalence,  and  the  variable 
convention  (see  [5])  is  adopted  for  the  treatment  of 
free/bound  variables  (namely,  the  bound  variables 
are  chosen  to  be  different  from  the  free  variables,  so 
that  variable  clash  is  never  caused  by  substitution). 
Notation  t{ufx}  is  used  to  denote  the  pseudo-term 
obtained  by  substituting  u  for  the  free  occurrences  of 
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Figure  1:  Term  Tree  and  Addresses 


X  in  t.  FV{t)  denotes  the  set  of  free  variables  in  t. 
FO{x,  t)  denotes  the  number  of  free  occurrences  of  x 
in  t  and  FO{t)  denotes  the  number  of  free  occurrences 
of  all  variables  in  t. 

As  usual,  each  pseudo-term  t  is  represented  cis  a 
term  tree,  and  each  subterm  occurrence  u  in  t  is 
pointed  by  its  address,  i.e.,  a  word  w  £  {0, 1}*  which 
describes  the  path  from  the  root  to  the  node  corre¬ 
sponding  to  u  in  the  term  tree.  For  example,  the  term 
tree  for  (Ax. let  \x  be  \y  in  yy)  and  the  addresses  in  it 
are  illustrated  in  Figure  1. 

The  size  |t|  of  a  pseudo-term  t  is  the  number  of 
nodes  in  its  term  tree.  Since  our  terms  are  untyped, 
\t\  is  not  significantly  different  from  the  length  of  its 
string  representation.  Given  a  pseudo-term  t  and  an 
address  w,  the  depth  of  w  in  t  is  the  number  of  !- 
boxes  and  §-boxes  enclosing  the  subexpression  at  w. 
The  depth  of  t  is  the  maximum  depth  of  all  addresses 
in  it. 

A  context  $  is  a  pseudo-term-like  expression  with 
one  hole  •.  If  $  is  a  context  and  t  is  a  pseudo-term, 
then  $[t]  denotes  the  pseudo-term  obtained  by  sub¬ 
stituting  t  for  •  in  $. 

2.2  Terms 

Before  giving  the  formal  definition  of  well-formed 
terms,  we  shall  informally  discuss  the  critical  issues. 

Firstly,  we  assume  that  variables  are  (conceptu¬ 
ally)  classified  into  three  groups:  undischarged,  !- 
discharged,  and  §-discharged  variables.  These  are  to 
be  bound  by  A-abstraction,  let-!  operator  and  let-§ 
operator,  respectively. 

The  fundamental  concept  of  light  logics  is  to  en¬ 
force  a  stratified  structure  on  proofs/terms  and  to  pre¬ 
serve  it  in  the  course  of  reduction.  Concretely,  light 
logics  deny  the  following  principles  of  Linear  Logic 
which  destroy  the  stratified  structure: 

•  Dereliction:  !A  — o  A, 

•  Digging:  !A~o!!A. 


We  achieve  the  stratification  by  the  following  mech¬ 
anisms: 

•  In  default,  a  variable  is  undischarged,  and  a  vari¬ 
able  is  made  (either  !-  or  §-^  discharged  when  a 
box  is  built  around  it.  This  condition  corresponds 
to  the  prohibition  of  the  dereliction  principle.  It 
is  expressed  in  our  term  syntax  as: 

derelic.tion{x)  :=  let  x  be  \y  in  y, 
whose  effect  is  to  open  a  !-box: 

dereliction{lt)  — >  t. 

It  is  ruled  out,  since  variable  y  is  undischarged, 
but  is  illegally  bound  by  a  let-!  operator.  On  the 
other  hand,  the  following  term  corresponding  to 
the  canonical  map  lA  — o  §A  is  legitimated: 

let  X  be  \y  in  §y. 

•  A  box  may  be  built  around  a  term  only  when 
it  contains  no  discharged  variable.  This  corre¬ 
sponds  to  the  prohibition  of  the  digging  princi¬ 
ple.  It  may  be  expressed  as: 

digging{x)  :=  let  x  be  ly  in  \\y, 

whose  effect  is  to  embed  a  !-box  into  a  deeper 
layer: 

diggingif.t)  — >!!t. 

It  is  also  ruled  out,  since  it  attempts  to  build  a 
l-box  \\y  around  another  box  !y,  but  the  latter 
contains  a  discharged  variable  y. 

Another  fundamental  property  of  light  logics  is,  as 
in  Linear  Logic,  that  only  duplicable  are  contents  of 
’.-boxes.  It  is  maintained  by  the  following  condition: 

•  Among  three  binders,  only  let-.'  may  bind  multi¬ 
ple  occurrences  of  (.’-discharged)  variables. 

Duplication  takes  place  when  a  !-box  meets  a  let-! 
operator;  for  example, 

let  \t  be  \x  in  (§xx)!x  — >  {^tt)lt. 

To  avoid  potential  exponential  growth  caused  by  du¬ 
plication,  we  need  a  further  constraint  on  !-boxes: 

•  A  .’-box  may  be  built  around  a  term  only  when  it 
contains  at  most  one  free  variable. 
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Hence  term  constructions  like 

...  let  !  zz  be  \y  in  (let  \yy  be  la;  in  larx), 
which  cause  exponential  growth  are  prohibited. 

To  compensate  for  this,  we  need  another  kind  of 
boxes,  namely  §-boxes.  They  are  not  duplicable.  In¬ 
stead  they  may  contain  an  arbitrary  number  of  free 
variables. 

All  these  design  concepts  (and  more)  arc  realized 
in  the  following  formal  definition,  which  is  written  in 
a  style  inspired  by  [1]. 

Definition  2.2  Let  X,  Y,  Z  range  over  the  finite  sets 
of  variables.  Then  the  4-ary  relation  t  €  Tx,y,z 
(saying  that  f  is  a  (well-formed)  term  with  undis¬ 
charged  variables  A',  l-discharged  variables  and  §- 
discharged  variables  Z)  is  defined  as  follows  (in  writ¬ 
ing  t  €  Tx,y,z,  we  implicitly  assume  that  A’,  Y  and 
Z  are  mutually  disjoint): 

1.  X  e  Txx\z  a;  €  A. 

2.  Xx.t  e  Tx,y,z 

f  a:  ^  A",  FO{x,t)  <  1. 

3.  tu  e  Tx.y.z  t  €  Tx^y.z,  u  S  Yx.y,z- 

4.  It  G  Tx,y,z  t  €  FO{t)  <  1. 

5.  §f  e  Txx'.z  t  G  Tyuz.iti.di- 

6.  let  t  be  lx  in  u  G  Tx,y,z  4=> 

t  £  Yx,y,z,  u  g  Tx,v-u{a},Z)  a;  ^  1  . 

7.  let  f  be  §x  in  w  G  Tx,y,z  4=>  t  G  Tx.y.z, 
w  £  'Cy,v,zu{,t},  a;  0  a,  FO{x,u)  <  1. 

Finally,  t  is  a  (well-formed)  term  (t  G  T)  if  <  G 
Yx,y,z  for  some  A"^,  Y  and  Z. 

Example  2.3 

1.  uJiA  =  A.7;.(let  X  be  \y  in  §1/7/)  G  T, 

^LA  =  i^lAl^LA  £  T . 

2.  For  each  natural  number  n,  we  have  Church  nu¬ 
meral  n  E  T  defined  by 

n  =  Ax. (let  X  be  !z  in  §Aj/.  (z  •  •  ■  (z  7/)  ■  •  •)). 

n  times 

3.  For  each  word  w  =  £  {0,1}*,  we  have 

w  £  T  defined  by 

w  =  A.xoXi.(let  xo  be  Izq  in  (let  xi  be  Izi  in 
§A7/.(2,„  ■  ■  ■  (z,„7/)  •  •  •)))• 

Observe  that  these  n’s  and  w’s  are  all  of  depth 
1. 


We  have  the  following  basic  properties: 

Lemma  2.4  Let  t  G  Tx.y,z- 

1.  If  X  C  A',  r  C  r'  and  Z  C  Z', 
then  t  G  Fx’ .Y\Z'  ■ 

2.  If  X  g  FV{t),  them,  t  G  Tx\{,-},y\{.v},Z\{  >  } ' 

3.  Let  X  G  FV{t).  Then  x  occurs  at  depth  0  iff 
X  G  A”.  X  occurs  at  depth  1  iff  x  G  Y  U  Z. 

X  never  occurs  at  depth  >  1. 

Lemma  2.5  (Substitution) 

1.  t  G  Txu{i  }.y.z,  a:  ^  A  and  u  G  Tx,y,z 

f{77/.r}  G  Tx.y.z- 

2.  t  e  Tx.yu{x}.Z!  X  ^Y  V  e  and  FO{u)  <  1 

f{i7/a:}  G  Tx.y.z- 

■‘t-  t  G  Tx.y.zu{x},  a:  ^  Z  and  u  G  Ty z .n, .ih 
=>  f{7//.T}  G  Tx.y.z- 

Remark  2.6  .A.s  discussed  l)y  .Asperti  [2],  a  naive  use 
of  box  notation  causes  ambiguity,  and  in  conjiinction 
with  naive  substitutions,  causes  a  disastrous  effect  on 
complexity. 

.Asperti  fixed  the  by  using  a  more  sophisticated  box 
notation  of  the  form  ii(0["J  •  •  ■  1  "n/a:,,],  while  our 

solution  is  more  implicit  and  is  based  on  the  concej)- 
tual  distinction  Ix'tween  discharged  and  undischarged 
variables. 

.Asperti’s  box  §(ta:i  .T2)[;!//.'7:i  ,  jy/.r^]  (with  y  of  !- 
type)  corresponds  to  (let  y  be  !.t  in  §(f:r.r))  in  our 
syntax.  Observe  that  variable  y,  which  is  exteriud 
to  the  §-bo.x,  is  contracted  in  the  former,  while  v;iri- 
able  ,T,  which  is  internal  to  the  §-box,  is  contracted  in 
the  latter.  This  is  parallel  to  the  difference  between 
the  contraction  inference  ruh'  of  .Asperti’s  ILAL  and 
that  of  Girard’s  original  formation  of  LLL;  the  for¬ 
mer  contracts  l-formidas,  while  the  latter  contracts 
discharged  formulas. 

Remark  2.7  There  is  a  quadratic  time  algorithm 
checking  whether  a  given  pse7ido-term  is  well-formed: 
Let  t  be  a  pseudo-term,  and  A'  and  1'  be  the  sets  of  its 
free  variables  at  depth  0  and  at  depth  1,  respectively. 
Then  t  is  well-formed  iff  f  G  Tx.y.ii  (by  Lemma  2.4 
and  the  fact  that  t  G  Tx.y.z  iniplies  t  G  Tx.yuz,^)- 
The  latter  can  be  recursively  checked  with  at  most  |f| 
recursive  calls,  and  each  call  involves  a  variaf)le  occur¬ 
rence  check  at  most  once  (corresponding  to  Clauses 
2,  4  and  7  of  Definition  2.2).  Thus  the  algorithm  runs 
in  time  0{rr),  given  a  term  of  size  n. 
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Name 

Redex 

Contractum 

iP) 

(Xx.t)u 

t{u/x} 

(§) 

let  §u  be  §rr  in  f 

t{u/x} 

(!) 

let  lu  be  \x  in  t 

t{u/x} 

(com) 

(let  n  be  \  x  \n  t)v 

let  n  be  f  in  (tv) 

let  (let  It  be  f  x  in  t)  be  ]  y  in  v 

let  u  be  t  X  in  (let  t  be  j  2/  in  v) 

Figure  2:  Reduction  Rules 


2.3  Reduction 

Definition  2.8  The  reduction  rules  of  Ala  are  those 
listed  in  Figure  2.  We  say  that  t  reduces  to  u  at 

address  w  by  rule  (r),  and  write  as  t  u,  ii  t  = 
$[ui],  u  =  $[u2]i  the  hole  •  is  located  at  u;  in  $,  and 
Vi  is  an  (r)-redex  whose  contractum  is  V2. 

Note  that  the  address  w  uniquely  determines  the 
rule  (r)  to  be  used.  When  either  the  address  w  or 
the  rule  (r),  or  both,  are  irrelevant,  we  use  notations 

t  u,  t  u  and  t  — >  u.  The  depth  of  a  reduction 

is  the  depth  of  its  redex. 

A  finite  sequence  a  of  addresses  wo,...,Wn-i  is 
said  to  be  a  reduction  sequence  from  to  to  t„,  written 
as  to  -^*t„,  if  there  are  pseudo-terms  to,.  ■  ■  ,tn  such 
that 

Wu  ,  Wl 

to  y  Ti  y  •  *  ‘  y  tj,. 

If  every  reduction  in  cr  is  the  application  of  (r),  then 
a  is  called  an  (r)-reduction  sequence  and  written  as 

to  -^*tn  (or  simply  as  to  — ftn).  The  length  of  cr  is 
denoted  by  \cr\. 

Remark  2.9  The  stratified  structure  of  a  term  is 
preserved  by  reduction.  In  particular,  the  depth  of 
a  term  never  increases,  since  in  reduction  rules  (0), 
(§)  and  (!)  a  subterm  u  is  substituted  for  a  variable 
X  occurring  at  the  same  depth. 

Reduction  rules  (/3)  and  (§)  strictly  decrease  the 
size  of  a  term,  since  they  never  involve  duplication. 
(com)  just  reorganaizes  the  structure  of  a  term  with¬ 
out  changing  its  size.  The  only  reduction  rule  which 
causes  duplication  is  (!).  When  applied  at  depth  i, 
it  possibly  increases  the  sizes  at  depths  >  i,  while  it 
strictly  decreases  the  size  at  depth  i. 

The  terms  are  closed  under  reduction: 

Proposition  2.10  If  t  £  Tx,y,Z  <ttid  t  — >  u,  then 
M  e  Tx.Y.Z- 


FO(u)  <  1.  Hence  n{M/x}  £  Fx,y,z  by  Lemma  2.5. 
For  the  general  case,  show  that  a  term  u  £  Tx,y,Z 
can  be  replaced  with  another  v  £  Tx,y.z  in  n  context 
without  losing  well-formedness,  whenever  FO{x,  v)  < 
FO(x,u)  for  each  x  £  X  U  Z.  All  reduction  rules 
u  — »  V  meet  the  latter  condition.  ■ 

Example  2.11  The  term  Hla  is  a  light  affine  ana¬ 
logue  of  fl  =  (Xx.xx)(Xx.xx),  which  is  not  normaliz¬ 
able  in  A-calcuhis.  However, 

Hz, A  =  ojla'mla  (let  Ilola  be  \y  in  §yy) 

^'•^LA'^LA 

§(let  ujla  be  \y  in  ^yy). 
The  last  term  cannot  be  reduced  anymore. 

3  Type  Assignment  System 

We  introduce  ILAL  as  a  type  assignment  system 
for  Ala.  Our  formulation  is,  however,  different  from 
Asperti’s  in  that  we  use  Girard’s  discharged  formulas. 

Let  a,0  range  over  the  type  variables. 

Definition  3.1  The  types  (formulas)  of  ILAL  are 
given  by  the  following  grammar: 

A,  H  ::=  Q  I  A  -o  H  I  Va.A  |  !A  |  §A. 

An  \-discharged  type  is  an  expression  of  the  form  [Aji. 
An  ^-discharged  type  is  an  expression  of  the  form  [A]§ . 

In  the  sequel,  t”A  abbreviates  t ' '  ’  t 

n  times 

A  declaration  is  an  expression  of  the  form  x:A  or 
a;:  [AJ^.  A  finite  set  of  declarations  is  denoted  by  F, 
A,  etc. 

Definition  3.2  The  type  inference  rules  of  ILAL  are 
those  given  in  Figure  3.  We  say  that  a  pseudo-term 
t  is  typable  in  ILAL  if  F  h  t :  A  is  derivable  for  some 
F  and  A  by  those  inference  rules. 


Proof.  For  example,  if  t  is  a  (!)  redex 
let  !u  be  !a;  in  v,  then  v  £  Tx^Yu{x},Zy  u  €  7y,0,0  and 
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x\A\-x\A 


Id 


ril-u:A  x:A,r2^t:C 

ri,r2  h  t{u/x}-.c 


Cut 


T\-t:C 

A,r  1-  t-.c 


Weak 


Fj  h  x:A2,T2yt:C 

-0^2, r2  I-  t{yulx]\C 


x:[A]i,y:[A]i,r  F  t:C 

z-.[A]uT  h  t{zlx,zly}\C 


x:Ai,T  h  t-.A2 
r  F  \x.t  :Ai  —0A2 


Cntr 


::A{B/a},T\-  t:C 
x:VQ.^,r  t:C 


V/ 


T\-t:A 

FFtrVa.^ 


Vr,  a^FV"(r) 


X :  [yl] ! ,  r  h  t:C 
y  :!A,r  F  let  y  be  !x  in  t:C 


x:[2l]§,r  F  t:C 
y :  §yl,  r  F  let  2/  be  §x  in  t:C 


Xj  .  Bl  J  .  .  .  ,  X]JI  .  Byyi  t  ,  A 
xi:[Bi],,...,x,n:[B^]i  Fit  :IA 


\r,  0  <  m  <  1 


X\ .  Bi , . . .  j  XjYi .  B^^  2/1  ■  C\ , . . . ,  2/n  ■  Cfi  F  t .  ^ 

Xi  :[Si]!,...,x„:[B^j!,2/i  :[Ci]§,. . .  ,2/n:[C„]§  F  §<:§^ 


§r,  m,n>0 


Figure  3;  Type  Assignment  System  ILAL 


Remark  3.3  Observe  that  if  x:  A,r  F  t:C,  namely 
X  is  of  undischarged  type,  then  it  occurs  at  most  once 
in  t.  Therefore,  no  duplication  is  caused  by  the  sub¬ 
stitutions  used  in  {Cut)  and  (—0/)  rules,  which  always 
operate  on  undischarged  types.  That  is  a  reason  why 
we  can  do  away  with  explicit  substitutions  of  [2], 

Discharged  types  act  as  a  barrier  to  substitution 
into  boxes,  in  the  same  way  as  Wadler[2l]’s  patterns 
act  in  his  term  syntax  for  Intuitionistic  Linear  Logic; 
we  could  alternatively  use  the  latter  to  obtain  the 
same  effect. 

As  expected,  we  have: 

Theorem  3.4  Every  typable  pseudo-term  is  a  term. 
More  exactly,  if 

x:A,y-.[B],,z:[C],^ht:D, 

then  t  G 

Proof.  By  induction  on  the  length  of  the  typing 
derivation.  In  the  cases  of  {Cut)  and  (—of),  apply 
Lemma  2.5(1).  ■ 

Theorem  3.5  (Subject  Reduction)  If  T  F  t  :  A 

and  t  — >  u,  then  F  F  :.4. 

Example  3.6  Let  int  =  Va.!(«— oo)— o§(a— 00)  and 
bint  =  Vcv.!(n  — o  o)— o!(rt  — o  q)  —o  §(n  — o  o).  Then 


we  have  F  n  :  int  for  each  n  G  TV  and  F  w :  bint  for 
each  w  €  {0, 1}*. 

An  example  of  untypable  terms  is  it  la-  To  see  the 
reason,  define  the  erasure  of  a  term  of  Ala  to  be  a 
A-term  obtained  by  applying  the  following  operations 
as  much  as  possible: 

fu  !-♦  u, 

let  u  be  t in  t  >-*  t{u/x]. 

If  a  term  is  typable  in  ILAL,  then  its  erasure  is  ty¬ 
pable  in  System  F  (in  the  Curry  style,  sec  [6]).  Now, 
Hla  cannot  be  typed  in  ILAL,  since  the  erasure  of 
Ql.‘\  is  D,  a  term  which  cannot  be  typed  in  System 
F. 

Remark  3.7  Tyj)c.s  arc  not  necessary  for  the  poly¬ 
time  normalizability.  Nevertheless,  they  are  useful  in 
several  ways. 

•  Tyj)es  arc  used  to  avoid  deadloeks,  such  as  {]t)u 
and  let  (A.r.<)  be  f  x  in  u. 

•  Some  types,  typically  data  types  such  as  int  and 
bint,  constrain  the  shape  of  normal  forms:  ev¬ 
ery  normal  term  of  type  int  is  of  the  form  n  (or 
A.r.(let  x  be  \z  in  §2),  which  may  be  seen  as  an  y- 
variant  of  1).  In  general,  for  k  >  0,  every  normal 
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term  of  type  §^int  is  of  the  form  (or  an  rj- 
variant  of  §*^1).  Similarly,  all  normal  inhabitants 
of  bint  are  of  the  form  w. 

•  More  generally,  all  lazy  types,  including  int  and 
bint,  constrain  the  depths  of  normal  forms:  Say 
that  a  type  is  lazy  if  it  does  not  contain  a  neg¬ 
ative  occurrence  of  V.  If  a  term  t  is  normal  and 
of  lazy  type  A,  then  it  means  that  t  :  A  can 
be  derived  without  using  the  (V/)  inference  rule, 
which  has  an  effect  of  hiding  some  information 
on  derivations.  Thus  all  uses  of  the  !  and  §  in¬ 
ference  rules  in  the  derivation  are  recorded  in  A. 
Hence  the  depth  of  t  is  immediately  bounded  by 
the  depth  d  of  A. 

•  The  above  suggests  that  in  order  to  normalize 
a  term  of  lazy  type  A  we  do  not  have  to  fire 
redices  at  depth  >  d,  which  will  be  removed  by 
reductions  at  lower  depths  before  arriving  at  the 
normal  form.  In  this  way,  lazy  types  give  us 
useful  information  on  normalization. 

The  expressive  power  of  ILAL,  hence  of  Ala,  is 
witnessed  by: 

Theorem  3.8  (Girard[10],  Roversi[19]) 

Every  function  f  :  {0,1}*  — >  {0)1}*  uihich  is  com¬ 
putable  in  time  0{n'^)  is  represented  by  a  term  of  type 

bint  bint. 

(See  [3]  for  a  good  exposition.  See  also  [17]  for  an¬ 
other  proof). 

The  converse  will  be  taken  up  in  Section  5  after 
the  polytime  normalizability  of  Al.\  has  been  proved. 

Remark  3.9  We  are  rather  free  in  the  choice  of  type 
systems;  for  example  we  can  enrich  ILAL  with  naive 
set  theory  or  fixpoints  of  types  (as  in  [10]),  still  pre¬ 
serving  the  polytime  normalizability  and  the  logical 
consistency  (i.e.,  having  no  inhabitant  of  0  =  Va.a). 
To  put  it  the  other  way  round,  any  logical  system 
which  is  cut-free  consistent  (i.e.,  with  no  normal  in¬ 
habitant  of  0)  is  consistent,  in  so  far  as  it  can  be  used 
as  a  type  system  for  Ala  and  satisfies  the  properties 
of  Theorems  3.4  and  3.5. 

4  Proving  the  Polystep  Strong  Nor¬ 
malization  Theorem 

The  key  step  toward  the  polystep  strong  normal¬ 
ization  theorem  is  the  standardization,  i.e.,  to  trans¬ 
form  a  reduction  sequence  into  an  outer-layer-first 
one  without  decreasing  the  length  (in  4.2).  To  achieve 


this,  we  first  need  to  extend  Ala  with  explicit  weak¬ 
ening  and  to  give  a  translation  of  reduction  sequences 
in  Ala  into  this  extended  calculus  (in  4.1).  Finally  we 
show  that  the  length  of  a  standard  reduction  sequence 
thus  obtained  is  polynomially  bounded  (in  4.3). 

4.1  An  extended  calculus  with  explicit 
weakening 

The  set  VT'"  of  extended  pseudo-terms  is  de¬ 
fined  analogously  to  VT,  but  each  extended  pseudo¬ 
term  may  contain  a  subexpression  of  the  form 
let  t  be  _  in  u  (explicit  weakening).  To  define  the 
well-formedness,  we  give  a  new  4-ary  relation  t  G 
Tffrz  modifying  Definition  2.2  as  follows. 

(1)  Replace  clause  2,  6,  and  7  with: 

2’  \x.t  G  Tx,y,z  t  G  Txu{x},y,z, 

X  ^  X,  FO{x,  t)  =  1. 

6’  let  t  be  la;  in  u  G  Tx,y,z  t  £  Tx,y,Zi 
€  Tx,yo{x},Zi  ^  ^Y,FO{x,u)  >  1. 

7’  let  t  be  §a;  in  n  G  Tx,y,z  t  G  Yx,y,z, 
u  G  Tx,y,zu{x},  X  ^  Z,  FO{x,u)  =  1. 

(Namely,  we  require  that  each  binder  must  bind  at 
least  one  variable  occurrence.) 

(2)  Add  the  following  clause: 

8’  let  t  be  _  in  n.  G  Fxy,Z  ^  G  Tx,y,Z^ 
u  €  Tx,y.z- 

We  say  that  t  is  a  (well-formed)  extended  term 
{t  G  T“’)  if  t  G  Fffy  z  some  X,  Y ,  Z. 

The  reduction  rules  in  Figure  2  are  extended  to 
VT'^’  with  the  following  modifications: 

•  Generalize  (com)  so  that  it  is  also  applicable  to 
the  new  let  operator  for  explicit  weakening. 

•  Add  a  new  reduction  rule  (_): 
let  li  be  _  in  t  — >  t. 

Reduction  rules  other  than  (_)  are  called  proper. 
A  reduction  sequence  is  proper  if  every  reduction  in 
it  is  proper. 

Lemmas  2.4  and  2.5  hold  for  T™,  too.  In  addition, 
we  have: 

(r) 

Proposition  4.1  If  t  £  Yffy  z>  ^  ^  (^) 

proper,  then  u  G  Yffy^. 
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Now  we  consider  a  translation  of  Ala  into  the  ex¬ 
tended  calculus. 


Lemma  4.5  Let  to  e  VT'^' .  If  to  tj  t2, 
where  (r)  is  neither  [corn)  nor  (_),  then 


Lemma  4.2  For  each  term  t,  there  is  an  extended 
term  L"  such  that  -^*t  and  <  4|t|. 

Proof.  By  induction  on  t.  If  t  =  Xx.u  and 
FO{x,u)  =  0,  let  =  A,T.(let  a;  be  _  in  If 

t  =  (let  u  be  t  3;  in  u)  and  FO{x,u)  —  0,  let  = 
let  V  be  t  X  in  (let  §x  be  _  in  m“’).  ■ 

Theorem  4.3  (Translation  into  the  extended 
calculus)  Let  to  be  a  term  and  let 

to 

be  a  reduction  sequence  in  Ala.  Then  there  arc  ex¬ 
tended  terms  tg,  t\  and  a  proper  reduction  sequence 
T  such  that  \a\  <  |r|,  [tgl  <  4|to|  and 


for  some  t'y  and  t'l . 

4.2  Standardization  theorem 

A  reduction  sequence  rr  is  standard  if  it  can  be  par¬ 
titioned  into  subsequences  (7o;(Ti;..  .  such  that, 
for  i  <  d,  (7-2, +1  consists  of  (!)-rcductions  at  depth  i 
and  (T2,  consists  of  other  reductions  at  depth  i. 

Theorem  4.6  (Standardization)  Let  to  be  an  ex¬ 
tended  term  and  a  be  a  proper  reduction  sequence 

to 

Then  there  is  a  standard  proper  reduction  sequence  r 


to  h 

(-)  (-) 


Proof  (Idea).  By  Lemma  4.2,  there  is  an  extended 
term  tg"  such  that 


,w  1-1  ^  *  4. 

tg  - >  tg  - »  tj  . 

By  permuting  it  suitably,  we  can  obtain 


such  that  r  is  proper  and  |r|  >  \a\.  For  exami)le,  a 
reduction  sequence  of  the  form 

(let  V  be  .  in  {\x.t))u  {Xx.t)u  t{v/x} 
can  be  transformed  into  the  following  longer  one: 


(let  i;  be  _  in  {Xx.t))u  let  v  be  _  in  {{Xx.t)v) 

let  u  be  _  in  t{u/x}  t{u/x}. 

In  more  detail,  we  use  the  following  two  lemmas 
for  each  step  of  permutation,  which  are  shown  by 
exhaustive  case  analyses.  ■ 

Lemma  4.4  Let  to  €  PT^" .  If  to  f] 
then 

to  t[  ^  t2 

for  some  t\  and  |(t|  >  1. 


<0  ^*  ti 


such  that  kl  <  kl- 

Proof  (Idea).  The  proof  is  again  based  on  permu- 
taion  of  reduction  sequences.  For  example,  let  u  be  a 
(d)  red('x  and  u'  Ije  its  contractum,  and  consider  the 
following  nonstandard  reduction  secpience: 

let  !(/  be  !.r  in  v  k-l  let  \u'  be  !.r  in  v  v{u' fx). 

Here  the  first  reduction  is  at  depth  1  and  the  second 
at  dei)th  0.  It  can  be  stamlardized  as  follows: 

let  !(/  be  !.t  in  v  -k->  ■(){(/ /.r}  "—-^*v{u'lx]. 

Since  (let  \u  be  !.r  in  v)  is  an  extended  term,  w('  have 
FO{x,v)  >  1.  Hence  uju/.r}  contains  at  least  one 
occurrence  of  the  (/?)  redex  ii,  so  |(t|  >  1.  Therefore 
the  length  of  a  reduction  sequence  iH'ver  decreast's  by 
this  permutation.  ■ 

4.3  Bounding  lengths  of  standard  reduc¬ 
tion  sequences 

For  each  extended  term  t  its  partial  size.  Si{t)  at 
depth  i  is  defined  in  Figure  4  (where  i  ranges  over  the 
numbers  >1). 

We  define  s[t)  to  lx-  X^J^n.s,(t).  The  oidy  diff('r- 
ence  between  |t|  and  s[t)  is  that  the  size  of  a  box 
t<  in  the  latter  sense  also  counts  the  number  of  free 
variable  occurrences  in  t.  Note  that  |t|  <  s{t)  <  2|t|. 

The  theorem  below  is  essentially  due  to  [10,  2].  In 
our  case,  however,  the  length  of  a  reduction  se([uence 
may  slightly  exceed  the  size  of  its  final  term,  sinc('  we 
have  the  commuting  reduction  rule  {com). 
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Soix) 

=  1 

Si(x)  =  0 

so{Xx.t) 

—  •So(t)  +  1 

Si(\x.t)  =  Si{t) 

so{tu) 

=  So(t)  -b  So(m)  +  1 

Si{tu)  =  Si{t)  Si{u) 

soiit) 

=  FO(t)-M 

~  '^7'— 1(0 

So(let  t  be  t  a;  in  u) 

=  So(t)  +  So(w) -b  1 

Sj(let  t  be  1 1  in  u)  =  Si{t)  -b  Si{u) 

So(let  f  be  .  in  u) 

=  So(t)  -b  So(u)  -b  1 

Si(let  t  be  _  in  u)  =  Si{t)  ■+  Si{u) 

Figure  4:  Partial  Sizes 


Theorem  4.7  (Polynomial  bounds  for  stan¬ 
dard  reduction  sequences)  Let  to  be  an  extended 
term  of  depth  d  and  a  be  a  standard  proper  reduc¬ 
tion  sequence  to  -^*u.  Then  s{u)  <  s(to)^ 
\a\<s{tof‘^\ 

Proof.  The  first  claim  is  proved  by  iteratively  ap¬ 
plying  Lemma  4.8  below,  starting  from  depth  0  and 
ending  with  depth  d.  See  also  Remark  2.9.  The  sec¬ 
ond  claim  follows  by  Lemma  4.9.  ■ 

Lemma  4.8  Let  a  be  a  reduction  sequence  t  -^*t' 
which  consists  of  (!)  reductions  at  depth  i.  Then  we 
have  Sj{t')  <  Sj{t)  ■  Si{t)  for  each  j  >  i. 

Proof  (Idea).  For  simplicity,  let  us  assume  i  =  0 
and  j  =  1.  To  estimate  the  potential  size  growth 
caused  by  (!)  reductions,  we  make  the  following  def¬ 
inition.  For  each  extended  term  t,  its  unfolding  is  an 
extended  pseudo-term  tlt  €  which  is  obtained 

by  hereditarily  replacing  each  subterm  of  the  form 
(let  \t  be  lx  in  u)  at  depth  0  with 

let  Jtit  —  -  It  be  lx  in  tju, 

n  times 

where  n  =  FO{x,iu).  (Intuitively,  we  perform  all 
possible  “contraction  reductions”  in  advance.) 

Then  we  can  show 

(1)  FO{iv)  <  so{v), 

(2)  si(-y)  <  si(t)u)  <  So(n)  •  ■5i(n), 

by  induction  on  v.  (The  property  that  each  !-box 
contains  at  most  one  free  variable  is  crucial  here.) 
Moreover,  we  can  also  show  that 

(3)  if  V  v'  at  depth  0,  then  Si(ttn')  <  si(lln). 

The  lemma  follows  from  (2)  and  (3): 

si(i')  <  siiit')  <  Si(Ut)  <  soit)  ■  si{t). 


Lemma  4.9  Let  a  be  a  reduction  sequence  t  -^*t' 
which  consists  of  reductions  at  depth  i.  Then  we  have 
\a\  <  s^{t)‘^. 

Proof  (Idea).  For  simplicity,  assume  that  i  =  0.  Let 
V  be  an  extended  term.  For  each  occurrence  of  a  let 
subterm  u  =  (let  Ui  be  *  in  U2)  at  depth  0  in  v,  where 
*  is  either  _  or  fa;,  define 

com{u,v)  :=  So(v)  -  so(u2). 

Define  com{v)  to  be  the  sum  of  all  com{u,vys  with 
u  ranging  over  all  such  occurrences  of  let-expressions. 
Then  we  claim: 

(1)  Soiv) com{v)  <  soiv)^ . 

(2)  If  V  — >  v'  by  a  reduction  at  depth  0,  then 
SoCn')  -f  com(v')  <  So(v)  ■+■  com(v). 

The  lemma  follows  from  these  two.  ■ 

5  Main  Results 

Now  we  are  in  a  position  to  state  the  main  results 
of  this  paper.  From  Theorems  4.3,  4.6  and  4.7,  it 
follows: 

Theorem  5.1  (Polystep  strong  normalization) 

For  every  term  to  of  size  s  and  depth  d,  the  following 
hold: 

(i)  every  reduction  sequence  from  to  has  a  length 
bounded  by  0{s^  ); 

(ii)  every  term  to  which  to  reduces  has  a  size  bounded 
by  0{s^''). 

Corollary  5.2  (Church-Rosser  property)  If  to  is 

a  term  and  ti  < — *  to  — then  ti  — >*t3  < — *  t2 
for  some  term  t^ . 

Proof.  By  showing  local  confluence,  which  is 
straightforward.  ■ 
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To  make  precise  what  we  mean  by  polytime  strong 
normalization,  we  give  the  following  definitions.  A 
reduction  strategy  for  T  is  a  partial  function  /  :  T  — ► 
{0, 1}*  such  that  f{t)  gives  an  address  of  a  redex  of 
t  whenever  t  is  reducible  and  is  undefined  otherwise. 
We  can  think  of  a  Turing  machine  normalize/  wdth 
function  oracle  /,  described  as  follows: 


input  t 
loop 

query  to  oracle  /  to  obtain  f{t) 
if  f{t)  is  defined 

then  let  t  :=  t'  such  that  t  t' 
else  output  t  and  halt 
end  loop. 


Now  we  have: 

Corollary  5.3  (Polytime  strong  normaliza¬ 
tion)  For  any  reduction  strategy  f  for  T ,  normalize/ 
terminates  in  time  0{s^  ),  given  a  term  to  of  size 

s  and  depth  d  as  input.  It  outputs  the  normal  form 
of  to. 

Proof.  Observe  that  each  step  of  reduction  t  — *  t'  is 
carried  out  in  quadratic  time:  the  worst  case,  namely 
the  case  of  (!)-reduction,  consists  in  substituting  a 
subterm  of  size  <  |t|  for  at  most  |f|  variable  occur¬ 
rences.  Therefore  the  total  runtime  is  roughly  esti¬ 
mated  by  ■ 

Finally  let  us  mention  the  converse  of  Theorem  3.8. 
(This  is  essentially  due  to  [10,  2],  but  we  include  it 
here  for  self-containedness.) 

Theorem  5.4  Every  term  t  of  type,  bint  — o  §'^bint 
represents  a  function  f  :  {0, 1}*  — »  {0, 1}*  vihic.h  is 
computable,  in  time  0{iF  ^  ). 

Proof.  Rt'call  that  all  le’s  are  of  depth  1,  so  that  tw 
is  of  constant  depth  for  every  u;  €  {0,1}*.  Without 
loss  of  generality,  we  may  assume  that  the  depth  is 
equal  to  the  depth  of  §‘^bint,  i.e.,  d+1  (just  ignore  the 
deeper  layers,  which  do  not  contribute  to  the  normal 
form;  see  Remark  3.7).  By  Corollary  5.3,  the  nor¬ 
mal  form  of  tw  is  computed  in  time  0(|fwp  ),  thus 
in  time  0(|icp  ^  )  (by  taking  a  reasonable  reduction 
strategy  of  low  complexity).  The  normal  form  should 
be  of  the  form  §‘^w',  and  such  w'  is  unique  by  the 
Church-Rosser  property.  ■ 

Corollary  5.5  (Characterization  of  the  Poly¬ 
time  Functions)  A  function  f  :  {0,1}*  — ►  {0,1}* 


is  polytime  computable  if  and  only  if  it  is  represented 
by  a  Ala  term  of  type  bint  — o  §'^bint  for  some  d. 

Observe,  however,  that  there  is  an  exponential  gap 
between  the  representability  (a  function  computable 
in  time  0{n‘^)  is  representable  by  a  term  of  depth 
d  +  7)  and  the  normalizability  (a  term  of  depth  d  is 
normalizable  in  time  0{n^  ^  )). 

6  Concluding  Discussion 

We  have  introduced  an  untyped  term  calculus  Ala, 
which  has  ILAL  as  a  type  assignment  system,  and 
showed  the  polytime  strong  normalization  theorem 
for  Ala.  It  follows  that  every  term  typable  in  ILAL, 
which  can  be  considered  as  structurally  representing 
an  ILAL  proof,  is  polytime  strongly  normalizable. 

Strong  polytime  normalization  for  LLL.  Before 
turning  to  LLL,  let  us  consider  decompositions  of  the 
(!)  reduction  rule: 

(!i)  let  !w  be  lx  in  $[x]  — ►  let  \u  be  lx  in  $[«]; 

(12)  let  !m  be  lx  in  t  — ►  t,  if  x  ^  FV{t). 

Clearly  the  (!)  reduction  rule  is  simulated  by  these 
two.  With  this  modification,  we  still  have  the  poly¬ 
time  strong  normalization  theorem.  Note  that  these 
rules  are  natural  counterparts  of  Girard[10]’s  reduc¬ 
tion  rules  for  the  exponential  boxes:  (Ij)  corresponds 
to  the  contraction  reduction  and  (12)  to  the  weaken¬ 
ing  reduction. 

Given  this,  it  is  quite  plausible  that  we  can  apply 
our  technique  to  LLL  to  show  the  strong  polytime 
normalization  theorem  for  the  proofnets  of  LLL(with 
formulas  erased).  There  is,  however,  a  limitation  that 
additives  should  be  treated  in  a  lazy  way,  because 
eager  reductions  of  additive  boxes  cost  exponential 
time. 

On  weakly  polytime  programs  and  interpre¬ 
tation  of  safe  recursion.  Let  us  consider  poly¬ 
time  programs  in  functional  programming  in  general. 
Since  execution  of  such  programs  depends  on  reduc¬ 
tion  strategies,  it  makes  sense  to  classify  them  into 
the  strongly  polytime  programs  (which  arc  polytime 
executable  by  any  strategy)  and  the  weakly  polytime 
ones  (which  arc  polytime  executable  only  by  some 
strategy).  Ala  accepts  only  strongly  polytime  pro¬ 
grams.  By  contrast,  most  polytime  type  systems 
ba.sed  on  safe  recursion  ([7,  16])  accept  weakly  poly¬ 
time  programs,  too  (sec,  e.g.,  [15,  11,  8]).  Typically 
they  allow  the  following  conditional 

cond(x)  :=  if  p{x)  then  /i(x)  else  f'zix) 
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to  be  iterated  when  the  argument  x  is  safe.  It  is 
easy  to  see  that  iteration  of  cond  is  weakly  polytime 
but  not  strongly,  since  unfolding  the  iteration  without 
computing  the  conditional  yields  a  term  of  exponen¬ 
tial  size.  (By  the  way,  observe  that  iteration  of  this 
kind  of  conditionals  is  the  key  to  encode  Turing  ma¬ 
chine  computations;  think  of  p  as  discriminating  the 
current  configuration  and  fi  and  /2  as  transforming 
it  accordingly.  Being  strongly  polytime  systems,  light 
systems  do  not  allow  conditionals  like  above  to  be  it¬ 
erated,  at  least  in  full  generality.  That  is  why  the 
encoding  of  Turing  machines  is  so  delicate  in  light 
systems  (see  [19,  3])). 

An  interesting  consequence  is  that  there  cannot  be 
a  “reasonable”  embedding  of  those  type  systems  of 
safe  recursion  into  Ala  which  preserves  the  reduction 
relation.  To  be  more  precise,  there  is  no  inductive 
embedding  such  that 

•  it  maps  numerals  of  the  former  systems  to  Ala 
terms  of  polynomial  size  and  of  constant  depth, 
and 

•  whenever  t  one-step  reduces  to  v  in  the  former 
systems,  the  translation  of  t  reduces  to  that  of  u 
in  several  (but  not  zero)  steps  in  Al.4. 

Therefore  there  is  a  limitation  on  the  interpretabil- 
ity  of  safe  recursion;  although  there  still  remains 
a  possibility  to  have  an  non-reduction-preserving 
embedding  which  prunes  exponential  reduction  se¬ 
quences  in  the  original  system  so  that  a  weakly  poly¬ 
time  program  is  transfigured  into  a  strongly  polytime 
one.  (This  remark  is  complementary  to  the  result 
of  [17],  which  shows  that  safe  recursion  with  non- 
contractible  safe  variables  is  interpretable  in  ILAL.) 

We  leave  the  following  to  future  work: 

•  Pursuit  of  efficiency  in  normalization.  The  poly¬ 
nomial  time  bound  given  in  this  paper  describes 
the  complexity  of  the  worst  reduction  strategy 
among  all  possible  ones.  It  seems  likely  that  we 
can  significantly  improve  it  by  specifying  a  wiser 
strategy  (perhaps  a  deeper-layer-first  one).  In 
particular  we  would  like  to  know  if  it  is  possible 
to  fill  the  exponential  gap  mentioned  in  the  last 
of  the  previous  section. 

•  Incorporation  of  inductive  data  types  as  primi¬ 
tives,  while  keeping  the  polytime  upperbound  for 
normalization;  it  will  make  Ala  more  accessible 
to  programmers. 


•  Extension  of  the  light  logical  approach  to  other 
complexity  classes,  such  as  polynomial  hierarchy 
and  polynomial  space. 
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Abstract 

We  develop  a  uniform  type  theory  that  integrates  inten¬ 
sionality,  extensionality,  and  proof  irrelevance  as  judgmen¬ 
tal  concepts.  Any  object  may  be  treated  intensionally  (sub¬ 
ject  only  to  a-conversion),  extensionally  (subject  also  to 
Pp-conversion),  or  as  irrelevant  ( equal  to  any  other  object 
at  the  same  type),  depending  on  where  it  occurs.  Modal  re¬ 
strictions  developed  in  prior  work  for  simple  types  are  gen¬ 
eralized  and  employed  to  guarantee  consistency  between 
these  views  of  objects.  Potential  applications  are  in  logical 
frameworks,  functional  programming,  and  the  foundations 
of  first-order  modal  logics. 

Our  type  theory  contrasts  with  previous  approaches  that 
a  priori  distinguish  propositions  (whose  proofs  are  all 
identified — only  their  existence  is  important)  from  specifi¬ 
cations  ( whose  implementations  are  subject  to  some  defini¬ 
tional  equalities). 


1  Introduction 

In  the  development  of  type  theory,  there  has  been  con¬ 
siderable  debate  about  the  degree  of  extensionality  or  inten¬ 
sionality  that  should  be  inherent  in  its  formulation.  In  an  ex- 
tensional  theory  such  as  the  one  underlying  Nuprl  [4]  type¬ 
checking  is  undecidable.  In  a  non-extensional  theory'  such 
as  later  versions  of  Martin-Lof’s  type  theory  [17],  we  distin- 
guish.a  definitional  equality  (also  called  judgmental  equal¬ 
ity)  which  is  not  extensional  and  decidable,  from  a  proposi¬ 
tional  equality  which  is  extensional  and  undecidable.  There 
are  a  number  of  tradeoffs,  both  from  the  philosophical  and 
pragmatic  points  of  view.  In  an  undecidable,  extensional 
theory,  programs  are  significantly  more  compact  than  in  a 

‘This  work  was  partially  supported  by  NSF  Grant  CCR-9988281. 

'Such  type  theories  are  often  called  intensional,  but  this  is  somewhat 
misleading  since  the  meaning  of  objects  is  still  subject  to  some  conversion 
rules. 


decidable,  non-extensional  theory.  On  the  other  hand,  we 
need  external  arguments  to  validate  the  correctness  of  pro¬ 
grams,  defeating  at  least  in  part  the  motivations  underly¬ 
ing  the  separation  of  judgments  from  propositions  [1 1,  12]. 
Furthermore,  the  development  of  extensional  concepts  in  a 
non-extensional  type  theory  is  far  from  straightforward,  as 
can  be  seen  from  Hofmann’s  systematic  study  [10], 

Related  is  the  issue  of  proof  irrelevance,  which  plays  an 
important  role  in  the  development  of  mathematical  concepts 
in  type  theory  via  subset  types  or  quotient  types.  For  exam¬ 
ple,  the  type  {x:A  \  B{x)}  should  contain  the  elements  M 
of  type  A  that  satisfy  property  B.  If  we  want  type-checking 
to  be  decidable,  we  require  evidence  that  B{M)  is  satisfied, 
but  we  should  not  distinguish  between  different  proofs  of 
B{M) — they  are  irrelevant. 

In  this  paper  we  present  a  type  theory  that  internalizes 
the  concepts  of  intensionality,  extensionality,  and  proof  ir¬ 
relevance  via  distinctions  familiar  from  modal  logic.  We 
strictly  follow  Martin-Lof’s  separation  of  judgments  from 
propositions  and  both  type-checking  and  definitional  equal¬ 
ity  are  decidable. 

At  the  heart  of  our  modal  type  theory  are  three  judgments 

M  ::  A  Af  is  an  expression  of  type  A, 

M  :  A  Af  is  an  term  of  type  A,  and 
M  A  AT  is  a  proof  of  type  A, 

constructed  from  the  same  set  of  objects  AT  and  types  A. 
Expressions  are  treated  intensionally:  they  are  subject  only 
to  a-conversion.  Terms  are  treated  extensionally:  they 
are  additionally  subject  to  (3  and  ry-conversion.  Proofs  are 
treated  as  if  irrelevant:  any  two  proofs  of  the  same  type 
are  identified.  All  these  are  part  of  the  definitional  equality 
of  the  type  theory,  which  therefore  combines  intensional¬ 
ity,  extensionality,  and  irrelevance  into  a  single  system  in  a 
coherent  way. 

It  is  a  critical  property  of  our  type  theory  that  the  dis¬ 
tinction  between  expressions,  terms,  and  proofs  is  not  made 
at  the  time  the  constituent  constants  are  declared,  but  at  the 
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time  those  constants  arc  used.  Any  type  A  can  be  seen  as 
the  type  of  an  expression,  the  type  of  a  term  (=  a  specifi¬ 
cation),  or  the  type  of  a  proof  (=  a  proposition).  Similarly, 
an  object  M  may  be  seen  as  an  expression,  as  a  term,  or  as 
a  proof,  depending  only  on  whether  some  conditions  on  its 
free  variables  are  satisfied.  We  believe  that  this  flexibility  is 
an  inherent  advantage  of  our  approach  compared  to  a  priori 
separating  propositions  (inhabited  by  proofs  that  are  always 
irrelevant)  from  specifications  (inhabited  by  terms  that  are 
never  irrelevant).  This  is  the  approach  mostly  taken  in  the 
literature  (see,  for  example,  [  1 8]  or,  allowing  even  for  some 
classical  reasoning,  [2]). 

Our  system  is  also  interesting  in  its  relation  to  intuition- 
istic  modal  logic  when  we  ignore  the  objects.  Our  default 
judgment  M  :  A  can  be  interpreted  as  “A  is  true”.  The 
judgment  M  ::  A  can  be  read  as  “A  is  valid”.  The  judg¬ 
ment  M  T  A  can  be  read  as  “A  is  provable”,  hiding  the 
proof  object.  These  can  be  seen  as  modes  of  truth,  and  the 
work  presented  here  is  an  extension  of  prior  work  on  proof 
term  calculi  for  the  modal  logic  S4  [20]  where  validity  cor¬ 
responds  to  necessary  truth. 

In  a  type  theory  as  a  foundation  for  functional  program¬ 
ming,  irrelevant  objects  (that  is,  proofs)  arc  erased  be¬ 
fore  execution  without  affecting  the  observable  outcome. 
From  this  point  of  view,  our  type  system  internally  captures 
a  notion  of  dead-code  elimination  (sec,  for  example,  [1] 
for  a  survey  and  position  paper  on  related  type-based  ap¬ 
proaches).  However,  we  need  to  extend  our  type  theory  with 
(irst-class  modal  operators  in  order  to  use  it  in  the  context 
of  a  complete  functional  language.  Two  non-dependent  the¬ 
ories  in  this  style  are  given  in  [20],  explaining  an  intuition- 
istic  modal  logie  with  necessity  (DA)  and  possibility  (OA). 
A  proper  treatment  of  the  fully  dependent  version  of  these 
theories  would  seem  to  require  an  equational  theory  with 
commuting  conversions  and  is  therefore  left  to  future  work. 
Fortunately,  it  is  possible  to  develop  a  consistent  and  useful 
type  theory  where  these  judgments  are  considered  primarily 
as  hypotheses.  Instead  of  internalizing  them  as  modal  op¬ 
erators,  we  internalize  the  corresponding  hypothetical  judg¬ 
ment  as  function  types.  Such  a  restriction  is  not  new — it 
goes  back  to  similar  treatments  of  linear  logic  [9]  and  linear 
type  theory  [3]  with  similar  motivations. 

In  the  remainder  of  the  paper  we  present  our  type  theory, 
investigate  its  properties,  and  sketch  some  further  develop¬ 
ments  and  potential  applications. 


2  A  Modal  Type  Theory 


Our  modal  type  theory  is  a  conservative  extension  of 
LF  ]7].  Our  approach  follows  the  outline  of  [8],  adapted 
here  to  our  more  general  type  theory.  The  interested  reader 
may  find  additional  details  in  [  19]. 


2.1  Syntax 


The  syntax  is  stratified  into  objects,  families,  and  kinds 
as  for  LF. 


Kinds 

K 

::=  type  |  Ux:A.  K 

1  na:::A.  K  \  Hx-fA.  K 

Families 

A 

:;=  a  \  AM  Yix.Ai.  A2 

1  A.M  1  nx:;Ai.  A2 

1  A  0  M  Ilx-^Ai.  A2 

Objects 

M 

c  1  a;  1  Xx:A.  M  \  Mi  M2 

1  Aa;::A.  M  |  Mi  •  M2 
Aa;-^A.  M  |  Mi  0  M2 

Signatures 

E 

■  1  E,  a:K  \  E,  c:A 

Contexts 

F 

■  F,3::A  F,a:::A  I  F,a:-^. 

Here,  Mi  •  M2  is  an  application  whose  argument  (M2) 
is  treated  as  an  expression  (intensionally),  while  Mi  o  M2 
is  an  application  whose  argument  is  treated  as  a  proof  (ir¬ 
relevant  for  equality).  We  use  K  for  kinds,  A,B,C  for 
type  families,  M,  N,  P  for  objects,  T  for  contexts  and  E 
for  signatures.  We  also  use  the  symbol  “kind”  to  clas¬ 
sify  the  valid  kinds.  We  eonsider  terms  that  differ  only  in 
the  names  of  their  bound  variables  as  identical.  We  write 
[N/x]M,  [N/x\A  and  [N/x\K  for  capture-avoiding  substi¬ 
tution.  Signatures  and  contexts  may  declare  eaeh  constant 
and  variable  at  most  once.  For  example,  when  we  write 
r,  .r;A  wc  assume  that  x  is  not  already  declared  in  F.  If 
necessary,  we  tacitly  rename  x  before  adding  it  to  the  con¬ 
text  r.  Since  a  signature  is  generally  fixed,  and  constants 
may  be  used  anywhere,  we  have  permitted  only  two  forms 
of  constant  declaration,  namely  o:.K  and  c:A.  Note  that  this 
is  not  a  restriction  for  our  applications,  since  it  is  the  use  not 
the  definition  of  a  constant  which  determines  its  status  with 
respect  to  definitional  equality. 

2.2  Judgments 


Tlic  modal  type  theory  is  defined  by  the  following  prin¬ 
cipal  judgments. 


F  E  sig 
K;  r  ctx 

Th:  M  :A 
Th.  A:  K 
r  hj;  K  :  kind 

Th:^f  =  N:A 
Th:A  =  B:K 
ThzK  =  L  :  kind 

Th:M  =  N:  A 


E  is  a  valid  signature 
Fisa  valid  context 

M  has  type  A 
A  has  type  K 
K  IS  a  valid  kind 

A/  extensionally  equals  N 
A  extensionally  equals  B 
K  extensionally  equals  L 

M  intensionally  equals  N 


As  explained  later,  intensional  equality  for  types  and 
kinds  is  not  needed  directly,  and  proof  irrelevance  is  a  de¬ 
rived  concept. 
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For  the  judgment  F  ctx  we  presuppose  that  S  is  a 
valid  signature.  For  the  remaining  judgments  of  the  form 
r  hs  J  we  presuppose  that  S  is  a  valid  signature  and  that  F 
is  valid  in  £.  For  the  sake  of  brevity  we  omit  the  signature 
S  from  all  judgments  but  the  first,  since  it  does  not  change 
throughout  a  derivation. 

If  J  is  a  typing  or  equality  judgment,  then  we  write 
[M/x]J  for  the  obvious  substitution  of  M  for  a;  in  J.  For 
example,  if  J  is  A/’  :  B,  then  [M/x]  J  stands  for  the  judg¬ 
ment  [M/x\N  :  [Mlx]B. 

We  also  have  several  derived  judgments  that  are  central 
the  nature  of  our  type  theory.  Each  of  them  is  defined  by 
only  a  single  rule.  In  order  to  explain  these  additional  judg¬ 
ments  we  need  two  critical  operations  on  contexts.  The 
first,  F®,  hides  all  term  variables  x:A  by  converting  them  to 
proof  variables  x^A.  The  second,  F®,  resurrects  all  proof 
variables  x^A  by  converting  them  to  term  variables  x:A. 
Other  declarations  are  unaffected  in  both  cases. 

(.)e  =  .  (.)e  =  . 

(F,  x:A)^  =  F®,  x'-t-yl  (F,  x:A)®  =  F®,  .r:^ 
(F,a.-::^)®  =  F®,.t::^  (F,x::A)®  =  F®,a:;:^ 

(F.a.--t-yl)®  =  Fe,.x'^>l  (F,a;^.A)®  =  F®,a;:.4 


Intensional  Expressions.  The  new  judgments 


Fh,  M::A 
Th:A::  K 
VV-^M  =  N  v.A 
Th:A  =  By.K 


M  is  an  expression  of  type  A 
A  is  an  expression  type  of  kind  K 
M  and  N  are  equal  expressions 
A  and  B  are  equal  expression  types 


are  defined  by  the  following  rules 

r^h:M  '.A  r^h^A-.K 

Th^M::A  F  h:  A  ::  K 


F^  M  =  N  :  A  F~H:A  =  B:K 

FF^M  =  N  ::  A  Fh:A=B::K 

The  idea  is  that  an  expression  cannot  refer  to  a  term  vari¬ 
able  x:B,  which  would  violate  intensionality.  Thus  we  mark 
these  variables  as  irrelevant,  x^B,  which  is  accomplished 
by  the  ( )®  operation.  Note,  however,  that  intensionality  and 
irrelevance  interact:  proof  variables  may  still  occur  in  an  in¬ 
tensional  expression,  but  only  inside  other  proofs!  The  rules 
for  equality  indicate  that  only  intensionally  equal  terms  are 
considered  as  equal  expressions.  We  do  not  directly  refer 
to  a-convertibility  here  because  expressions  may  contain 
proofs  that  must  be  identified,  even  as  subterms  of  expres¬ 
sions.  Note  that  expression  types  are  not  intensional,  but 
that  there  is  a  restriction  regarding  their  validity:  expression 
types  can  not  depend  on  term  variables  directly. 

In  general,  M  ::  A  is  inherently  stronger  than  M  :  A, 
that  is,  M  A  implies  M  :  A  but  not  vice  versa.  In  partic¬ 
ular,  x:A  I/s  X  ::  A. 


Irrelevant  Proofs.  The  new  judgments 


FhsM^  A 
Fhs  A -i-K 
FFsM=N  ^  A 
FFs  A  :=^B  -^K 


M  is  a  proof  of  type  A 
A  is  a  proof  type  of  kind  K 
M  and  N  are  equal  proofs 
A  and  B  are  equal  proof  types 


are  defined  by  the  following  rules 

F^FsM  -.A  F®  Fs  A:  K 

FFsM-^  A  FFs  A -^K 

F®  FsM=^M  :  A  F®  F^  N  =  N  :  A 
FFsM  =  N  A 
F®FsA  =  B:K 
FFsA  =  B^K 


The  idea  is  that  a  proof  may  depend  on  expression  vari¬ 
ables,  term  variables,  and  proof  variables.  This  effect  is 
achieved  by  relabelling  hypotheses  x-^B  to  x:B  in  the  ( )® 
operation.  Note  that  equality  between  proofs  implements 
proof  irrelevance  in  the  classical  sense.  We  could  replace 
the  premise  F®  F^  M  =  M  :  A  with  F®  F^  M  :  A  (and 
similarly  for  N),  but  for  technical  reasons  it  is  simpler  if 
the  equality  judgment  does  not  refer  to  the  typing  judgment 
here. 

It  is  important  that  M  ^  >1  is  inherently  weaker  than  M  : 
A.  In  particular,  x-^A  /s  x  ■  A.  In  other  words,  terms  can 
not  depend  on  proof  variables,  but  other  proofs  can.  Under  a 
functional  interpretation,  it  is  this  property  which  allows  the 
consistent  erasure  of  all  proof  objects  without  affecting  the 
observable  outcome  (assuming  proofs  are  not  observable). 

Note  that,  unlike  the  systems  in  [5,  20],  the  rules  have  the 
property  of  variable  monotonicity,  when  viewed  bottom- 
up,  every  variable  is  preserved — only  its  status  might 
change  from  the  conclusion  to  the  premise  of  a  rule.  This  is 
inspired  by  a  similar  idea  in  [13]  and  is  needed  for  a  clean 
interaction  between  expressions  and  proofs. 


2.3  Typing  Rules 


Our  formulation  of  the  typing  rules  is  similar  to  the  sec¬ 
ond  version  given  in  [7]  and  directly  based  on  [8].  In  prepa¬ 
ration  for  the  various  algorithms  we  presuppose  and  induc¬ 
tively  preserve  the  validity  of  contexts  involved  in  the  judg¬ 
ments,  instead  of  checking  these  properties  at  the  leaves. 
This  is  a  matter  of  expediency  rather  than  necessity.  Fur¬ 
thermore,  in  order  to  the  shorten  the  presentation  we  use 
the  following  notation: 

stands  for  either  or  were  all  occur¬ 

rences  in  a  rule  must  be  consistent. 
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Objects. 


c:A  in  S 


r^-c:yl  r,3:;A,r' h  a:  : 

r  h  yli  +  type  r,  h  M2  :  A2 
r  1“  A.7,’7ryli.  A/2  ■  Ila’Trylj.  A2 

rhM:  A 


r,x::A,r'hx:A 

r  h  A/j  :  n3:-*rj42-  Ai 


no  rule  for  x^A 

r  1“  AI2  *  A2 


rh  Af  *  A/2  :  [A/2/:/:]yli 
r  h  A  =  B  :  type 


Families. 


a:K  in  E 


rh  Af:B 


rh  A:  nx*B.  K 


r  h  A/  *  // 


T^a:K  T  \-  A  *  AI  :  [AI/x]K 

r  h  yli  *  type  F,  'x-kA\  h  A2  :  type  Y  'r  A  :  K  Y  \-  K  =  L  ■.  kind 


r  h  n3;*24i.  A2  ;  type 


YY  A:L 


Figure  1.  Rules  for  Validity  of  Objects  and  Families 


stands  for  cither  juxtaposition  (an  application  of 
a  function  of  type  na;:/!.  B),  (an  application  of 
a  function  of  type  na:::^!.  B),  or  "o”  (an  application 
of  a  function  of  type  ria:-;- A.  B).  Occurrences  of'*" 
must  be  coordinated  with  occurrences  of  in  a  rule 
schema  in  the  indicated  manner. 

Signatures.  The  rules  for  validity  of  signatures  arc 
straightforward  and  omitted  here.  From  now  on  we  (ix  a 
valid  signature  E  and  omit  it  from  the  Judgments. 

Contexts.  Validity  of  contexts  must  guarantee  that  we 
cannot  incorrectly  refer  to  a  proof  variable  in  a  term  or 
expression,  or  a  term  variable  in  an  expression.  Tliis  is 
achieved  by  the  following  rules. 

F  r  ctx  r  F  ★  type 
F  •  ctx  F  r,  3'*^  ctx 

Note  that  the  second  rule  schema  actually  stands  for 
three  rules,  depending  on  whether  x.-.A,  x'.'.A,  or  x~A  ap¬ 
pear  in  the  conclusion  and  premise. 

Objects.  Here  we  proceed  as  in  LF,  except  that  we  need  to 
make  sure  that  arguments  fit  the  type  and  disposition  (inten- 
sional,  cxtcnsional,  or  irrelevant)  of  the  function.  Tlic  rules 
can  be  found  in  Figure  1.  The  rule  schema  for  application 
is  the  most  complex  and  has  three  instances.  One  of  them, 
for  example,  replaces  *  by  ::  and  *  by  •, 


Families  and  Kinds.  The  rules  for  application  and  con¬ 
version  are  copies  of  the  rules  from  the  level  of  objects. 
Valid  function  types  restrict  occurrences  of  the  dependent 
variable  based  on  whether  the  corresponding  argument  is 
interpreted  as  an  expression,  a  term,  or  a  proof.  This  is  nec¬ 
essary  to  guarantee  that  the  type  of  an  application,  which  is 
obtained  by  substitution,  is  valid.  The  rules  at  the  level  of 
kinds  mirror  the  ones  at  the  level  of  families  and  arc  elided 
here. 

Generally,  in  our  theory  the  judgments  on  families  only 
rellect  the  judgments  on  the  objects  embedded  in  them.  This 
is  typical  of  type  theories  such  as  the  one  underlying  LF, 

2.4  Definitional  Equality 

The  rules  for  definitional  arc  written  with  the  presuppo¬ 
sition  that  a  valid  signature  E  is  fixed  and  that  all  contexts 
r  arc  valid.  The  intent  is  that  equality  implies  validity  of 
the  objects,  families,  or  kinds  involved  (sec  Lemma  2).  In 
contrast  to  the  original  formulation  of  LF  in  [7],  equality 
of  terms  is  based  on  a  notion  of  parallel  conversion  plus 
cxtensionality,  rather  than  (j;/-convcrsion,  but  the  two  def¬ 
initions  turn  out  to  be  equivalent.  In  addition  we  have  to 
lake  care  of  intensionality  for  expressions  and  irrelevance 
of  proofs.  This  is  reflected  in  the  rules  for  intcnsional  appli¬ 
cation  AI  •  N  and  irrelevant  application  AI  o  N. 

Some  of  the  typing  premises  in  the  rules  are  redundant, 
but  for  technical  reasons  we  cannot  prove  this  until  valid¬ 
ity  has  been  established.  Such  premises  are  enclosed  in 
{braces}. 
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Simultaneous  Congruence. 


c:A  in  E 

rhc  =  c:A  r,x:A,r'hx  =  x:A  r,x::A,r'  h  x  =  x  :  A 
r  h  Ml  —  Ni  :  Ilx-kA2.  Ai  FI-  M2  =  N2  *  A2 
r  h  Ml  *  M2  =  ATi  *  JV2  :  [M2/x]Ai 
r  h  =  i4i  *  type  F  h  A"  —  Ai-k  type  F,  x-kAi  \-  M2  —  N2  ■■  A2 
F  \~  \x'kA^-^.  M2  —  Xx'kA^Y'  ^2  •  ^X'kAi.  A2 


Extensionality. 

F  h  j4i  type  {F  f-  M  :  Ylx-kAi.  A2}  {F  h  iV  :  na;*j4i.  A2}  F,a;*yli  \-  M  *  x  =  N  *  x  A2 

F  h  M  =  TV  :  lixi^Ai.  A2 


Parallel  Reduction. 


Type  Conversion. 


{F  h  ^1  type}  F,  x-kAi  \-  M2  =  N2  :  A2  T  Mi  -  Ni  -k  Ai 
F  h  {XxkAi.  M2)  *Mi  =  \Ni/x]N2  :  [Mi/x]A2 


Th  M^N:  A  r\-  A  =  B  :  type 
F  I-  M  =  TV  :  B 

Figure  2.  Extensional  Equality  Between  Objects 


Objects.  The  extensional  equality  rules  for  objects  are 
shown  in  Figure  2,  where  we  have  elided  rules  stating  sym¬ 
metry  and  transitivity.  Conversion  is  modelled  by  parallel 
reduction,  a  choice  motivated  by  technical  concerns.  Re- 
flexivity  is  admissible,  which  is  typical  for  equality  based 
on  parallel  reduction. 

The  crux  of  intensionality  and  irrelevance  is  in  the  cases 
for  the  corresponding  applications,  M  •  TV  and  M  o  TV. 
We  therefore  explicitly  consider  the  second  premise  in  the 
rule  schema  for  application  in  its  three  specific  instances. 

If  we  compare  Mi  M2  =  TVi  TV2,  then  the  second 
premise  requires  M2  =  TV2  :  ^42,  just  as  in  LF. 

If  we  compare  Mi  •  M2  =  TVi  •  N2  then  the  ar¬ 
guments  are  treated  intensionally  and  equality  will  only 
succeed  if  M2  and  TV2  are  well-typed  and  intensionally 
equal  expressions.  This  is  enforced  with  the  judgment 
F  h  M2  =  N2  A2  defined  before,  which  holds  if  and 
only  if  F®  h  M2  =  TV2  :  A2. 

If  we  compare  Mi  o  M2  =  TVi  o  TV2  then  the  arguments 
are  proofs  and  are  always  considered  equal.  We  only  need 
to  check  that  they  are  well-typed,  which  is  accomplished 
with  the  judgment  F  h  M2  =  TV2  -b  ^2  defined  before. 
This  holds  if  and  only  if  F®  h  M2  :  A2  and  F®  I-  TV2  :  >l2- 

Since  the  main  equality  judgment  compares  terms  and 


not  expressions  or  proofs,  the  extensionality  principle  holds 
for  all  three  kinds  of  functions.  Modulo  the  construction  of 
the  right  kind  of  context  and  some  redundant  premises  re¬ 
quired  for  technical  reasons,  these  are  straightforward.  Sim¬ 
ilarly,  the  rule  of  parallel  reduction  is  available  for  all  three 
kinds  of  functions. 


Families  and  Kinds.  The  rules  in  Figure  2  are  repeated 
with  straightforward  adaptations  at  the  levels  of  families 
and  kinds  and  omitted  here.  Details  can  be  found  in  the 
technical  report  [19]. 


Intensional  Equality.  The  intensional  equality  between 
objects,  F  h  M  =  TV  :  is  defined  as  a  simultaneous 

congruence  just  as  the  extensional  equality,  but  we  delete 
the  rules  for  extensionality  and  parallel  conversion.  In  the 
modified  rules,  arguments  to  functions  that  are  to  be  treated 
as  proofs,  however,  are  considered  irrelevant  for  equality  as 
before.  Hence  irrelevance  takes  precedence  over  intension¬ 
ality,  which  seems  most  appropriate  for  the  intended  appli¬ 
cations  as  outlined  in  Section  7.  The  reader  can  find  the  full 
set  of  rules  in  [19]. 
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2.5  Elementary  Properties 

We  establish  some  elementary  properties  of  the  judg¬ 
ments  pertaining  to  the  interpretation  of  contexts.  All  of 
these  have  standard  or  straightforward  proofs  on  the  struc¬ 
ture  of  derivations.  First  we  show  weakening  for  all  Judg¬ 
ments  of  the  type  theory.  Secondly,  reflexivity  holds  for 
valid  objects,  families,  and  kinds. 

For  all  lemmas  and  theorems  from  here  on  we  tacitly 
assume  that  the  contexts  in  the  given  derivations  arc  well- 
formed.  Furthermore,  in  the  statement  of  a  mcta-thcorctic 
property,  several  occurrences  of  “-k”  must  still  be  instanti¬ 
ated  consistently  as  for  inference  rules. 

Lemma  1  (Substitution)  IfT,  x-kA,  F'  h  J  and  T  h  M  * 
A  then  F,  [M/,x-]F'  h  [M/x]J. 

Proof:  By  induction  over  the  structure  of  the  first  given 
derivation.  □ 

Note  that  this  is  shorthand  for  several  separate  substitu¬ 
tion  properties.  Now  there  is  a  scries  of  technical  lemmas 
(which  we  omit),  culminating  in  validity  and  functionality. 

Lemma  2  (Validity) 

/.  //F  AI  k  A  then  F  h  A  ★  type. 

2.  IfT  h  M  =  N  k  A.  then  F  h  A/  *  A,  F  F  W  *  A, 
and  F  h  A  *  type. 

Analogous  properties  hold  at  the  levels  of  families  and 
kinds. 

Lemma  3  (Functionality)  If  T  V-  M  =  N  k  A  and 

T,xkA  h  O  =  P  :  D  then  F  h  [M/x]0  =  [N/x]P  : 
[M/x]B  and  similarly  at  the  level  of  types  and  kinds. 

Another  consequence  of  validity  is  a  collection  of  stan¬ 
dard  inversion  properties.  In  the  interest  of  space,  we  elide 
these  properties  here.  We  can  further  show,  from  validity, 
that  the  prcmi.scs  enclosed  in  {. . .}  arc  indeed  redundant, 
that  is,  follow  from  the  other  premises. 

3  An  Algorithm  for  Deciding  Equality 

The  algorithm  for  deciding  definitional  equality  can  be 
summarized  as  follows: 

1 .  When  comparing  objects  at  function  type,  apply  exten- 
sionality. 

2.  When  comparing  objects  at  base  type,  reduce  both 
sides  to  weak  head-normal  form  and  then  compare 
heads  directly.  If  they  are  equal,  we  compare  each  cor¬ 
responding  pair  of  arguments  according  to  their  status. 


(a)  When  the  corresponding  arguments  are  exten- 
sional  (terms),  recursively  compare  for  exten- 
sional  equality. 

(b)  When  the  corresponding  arguments  are  in- 
tensional  (expressions),  compare  for  syntactic 
equality  modulo  a-conversion,  ignoring  only 
embedded  proof  terms. 

(c)  When  the  corresponding  arguments  arc  irrelevant 
(proofs),  we  always  treat  them  as  equal. 

Since  this  algorithm  is  type-directed  in  case  (1)  we  need  to 
carry  types.  Unfortunately,  this  makes  it  difficult  to  prove 
correctness  of  the  algorithm  in  the  presence  of  dependent 
types,  because  transitivity  is  not  an  obvious  property.  For¬ 
tunately,  we  do  not  need  to  know  the  precise  type  of  the 
objects  we  are  comparing. 

We  therefore  define  a  calculus  of  simple  approximate 
types  and  an  erasure  function  ()“  that  eliminates  dependen¬ 
cies  for  the  purpose  of  this  algorithm.  Note  that  there  arc 
three  forms  of  non-dependent  function  type  which  we  write 
as  T]  A  T2  and  similarly  for  kinds. 

We  write  rr  to  stands  for  simple  base  types  and  we  have 
two  .special  type  constants,  type"  and  kind“,  for  the  equal¬ 
ity  judgments  at  the  level  of  types  and  kinds. 

Simple  Kinds  k  ::=  typc“  \  t-Ak\t^k\t^k 

Simple  Types  r  a  |  tj  -A  T2  \  ti  — >  r2  |  n  A  T2 
Simple  Contexts  A  ::=  ■  |  A,.'i;:r  |  A,.7;::r  |  A,xA-t 

We  use  r,  9, 6  for  simple  types  and  A  for  contexts  declar¬ 
ing  simple  types  for  variables.  We  also  use  “kind“”  in  a 
similar  role  to  “kind”  in  the  LF  type  theory. 

We  write  A“  for  the  simple  type  that  results  from  eras¬ 
ing  dependencies  in  A,  and  similarly  K~ .  We  translate  each 
constant  type  family  a  to  a  base  type  a.~  and  extend  this  to 
all  type  families.  We  extend  it  further  to  contexts  by  apply¬ 
ing  it  to  each  declaration. 

(a)“  =  a~ 

(A  *  A/)-  =  A- 

(Ilx+Ai.  A2)  =  A^  — >  A.2 

We  now  present  the  algorithm  in  the  form  of  four  judg¬ 
ments.  These  can  be  interpreted  as  an  algorithm  in  the  man¬ 
ner  of  logic  programming. 

M  A/'  (A/  weak  head  reduces  to  M')  Algorithmi¬ 
cally,  we  assume  A/  is  given  and  compute  A/'  (if  AT 
is  head  reducible)  or  fail. 

A  h  A/  N  :  T  (AT  is  equal  to  N  at  simple  type  r)  Al¬ 
gorithmically,  we  assume  A,  AT,  N,  and  r  are  given 
and  we  simply  succeed  or  fail.  We  only  apply  this 
judgment  if  AT  and  N  have  the  same  type  A  and 
T  =  A~ . 
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A  h  M  < — >  N  :  T  (M  is  structurally  equal  to  N)  Algo¬ 
rithmically,  we  assume  that  A,  M  and  N  are  given 
and  we  compute  r  or  fail.  If  successful,  r  will  be  the 
approximate  type  of  M  and  N. 

A\-  M  (=)  N  (M  is  intensionally  equal  to  N)  Algorith¬ 
mically,  we  assume  that  A,  M,  and  N  are  given  and 
we  either  succeed  or  fail. 

Note  that  the  structural  and  type-directed  equality  are  mutu¬ 
ally  recursive,  while  weak  head  reduction  does  not  depend 
on  the  other  three  judgments. 

Weak  Head  Reduction. 


(Aa-*Ai.  M2)  *  Ml  ^  {Mi/x]M2 
A/i  ^  M[ 

Ml  *  Mo  ^  M[  *  Mo 

Type-Directed  Object  Equality. 

M  ^M'  A  h  A/'  iV  :  g 
A  h  A/  A  :  o 

N  ^N'  Ah  M  ^N'  :  a 
Ah  M  4=>  N  -.a 
Ah  M  i — >  N  :a 
Ah  M  N  :  a 

A,  X-kTi  h  M  *  X  <==>  N  *  X  :  T2 
Ah  M  N  :  Ti  ^  T2 

Structural  Object  Equality. 

c:A  in  E  x:r  or  .T:;r  in  A 

A  h  c  < — >  c  :  A~  A  h  X  < — >  x  :  r 

A  h  Ml  i — >  7Vi  :  r2  — >  Ti  Ah  M2  N2  '■  T2 
A  h  All  M2  < — >  Ni  N2  :  Ti 
A  h  Ml  < — >  Ni  :  t2  ^  Ti  Ah  M2  (=)  N2 

A  h  All  •  A/2  < - >  Ni  •  N2  Ti 

A  h  All  < — ^  Ni  :  T2  ^  Ti 
A  h  All  °  M2  < — >  Ni  o  N2  ■  Ti 


Structural  Intensional  Object  Equality. 

c:A  in  S  x;t  or  a:::T  in  A 

A  h  c  (=)  c  A  h  a;  (=)  X 

A  h  A  <;=>  B  :  type”  A,  x*A”  h  M  (=)  A” 

A  h  Ax*A.  M  (=)  Ax*B.  N 
A  h  Ml  (4  Ni  A  h  M2  (=)  N2 
A  h  Ml  M2  {=)  Ni  N2 
A  h  Ml  (=)  Ni  A  h  M2  {=)  N2 
A  h  Ml  •  Ah  H  M  •  N2 
A  h  Ml  (s)  Ni 
A  h  Ml  o  M2  {=)  Ni  o  N2 

The  crux  of  the  definitions  above  are  the  rules  for  struc¬ 
tural  equality  for  applications.  We  omit  the  corresponding 
rules  at  the  level  of  families.  Briefly,  kind-directed  equality 
simple  decomposes  Il-types,  while  structural  type  equality 
reprises  the  rules  for  structural  object  equality  above. 

The  algorithmic  equality  judgments  satisfy  some 
straightforward  structural  properties,  including  weakening. 
Furthermore,  the  algorithm  is  essentially  deterministic  in 
the  sense  that  when  comparing  terms  at  base  type  we  have  to 
weakly  head-normalize  both  sides  and  compare  the  results 
structurally.  This  is  because  terms  that  are  weakly  head  re¬ 
ducible  will  never  be  considered  structurally  equal.  This 
property,  as  well  as  the  symmetry  and  transitivity  of  the  al¬ 
gorithm  are  completely  straightforward. 

4  Completeness  of  the  Equality  Algorithm 

In  this  section  we  summarize  the  completeness  theorem 
for  the  type-directed  equality  algorithm.  That  is,  if  two 
terms  are  definitionally  equal,  the  algorithm  will  succeed. 
The  central  idea  is  to  proceed  by  an  argument  via  logical 
relations  defined  inductively  on  the  approximate  type  of  an 
object,  where  the  approximate  type  arises  from  erasing  all 
dependencies. 

The  completeness  direction  of  the  correctness  proof  for 
type-directed  equality  states: 

UTh  AI  =  N  :  A  then  T”  h  AI  N  :  A”. 

One  would  like  to  prove  this  by  induction  on  the  structure  of 
the  derivation  for  the  given  equality.  However,  such  a  proof 
attempt  fails  at  the  case  for  application.  Instead  we  define  a 
logical  relation  Ah  A4  =  A  €  |t|  that  provides  a  stronger 
induction  hypothesis  so  that  both 

1.  ifT  1-  M  =  A  :  AthenT-  h  Af  =  A  e  [A-l,and 

2.  if  r-  h  M  =  A  e  |A-|  then  T”  h  M  <=»  A  e 

A-, 
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can  be  proved. 

The  development  can  be  found  in  [19],  following  [8] 
quite  closely,  so  we  omit  it  here  in  the  interest  of  brevity. 

Theorem  4  (Completeness  of  the  Equality  Algorithm) 

IfT  h  M  =  N  ■.  A  then  F”  h  M  <=>  N  :  A~.  Further¬ 
more,  an  analogous  property  holds  at  the  level  of  families. 

5  Soundness  of  the  Equality  Algorithm 

In  general,  the  algorithm  for  type-directed  equality  is  not 
sound.  However,  when  applied  to  valid  objects  of  the  same 
type,  it  is  sound  and  relates  only  equal  terms.  This  direction 
requires  a  number  of  syntactic  lemmas  from  Section  2.5,  but 
is  otherwise  mostly  straightforward. 

Lemma  5  (Subject  Reduction)  //A/  M'  and 
r  f-  A/  :  A  then  F  h  A/'  :  A  and  F  h  A/  =  A/'  :  A. 

Proof:  By  induction  on  the  definition  of  weak  head  reduc¬ 
tion,  making  use  of  inversion  and  substitution  properties.  □ 

For  the  soundness  of  the  equality  algorithm  we  need  sub¬ 
ject  reduction  and  validity  (Lemma  2). 

Theorem  6  (Soundness  of  the  Equality  Algorithm) 

/.  IfT  h  A/  :  A  and  F  h  ;  A  and  F”  h  A/  N  : 
A-,  then  T  M  =  N  ■.  A. 

2.  IfT  \-  M  :  A  and  T  h  N  :  B  and  F”  h  M  < — >■  N  : 
r,  then  T  M  =  N  :  A.  T  T  A  =  D  :  type  and 

A-  =  D-  =  T. 

3.  IfT  h  M  -.A  andT  T  N  ■.  B  amlT-  h  A/  (s)  N  then 
Th  A  =  B  :  type  andT  h-  M  =  N  :  A. 

Analogous  properties  hold  for  types  and  kinds. 

Proof:  By  induction  on  the  structure  of  the  given  deriva¬ 
tions  for  algorithmic  equality,  using  validity  and  inversion 
on  the  typing  derivations.  □ 

6  Decidability 

We  can  now  show  that  the  judgments  for  the  equality  al¬ 
gorithm  constitute  a  decision  procedure  on  valid  terms  of 
the  same  type.  This  result  is  then  lifted  to  yield  decidability 
of  all  judgments  in  the  type  theory.  Tliis  part  of  the  develop¬ 
ment  is  relatively  standard.  An  exposition  of  the  necessary 
auxiliary  judgments  and  lemmas  can  be  found  in  [19].  We 
only  show  the  final  result. 

Theorem  7  (Decidability) 


1 .  If  T  \-  M  :  A  and  T  \-  N  :  A  then  it  is  decidable 
whether  F  F  A/  =  N  :  A. 

2.  Given  a  valid  F.  A/,  and  A,  it  is  decidable  whether 
F  F  A/  :  A. 

Corresponding  properties  hold  at  the  level  of  families  and 
kinds  and  for  other  equality  judgments. 

We  also  have  that  our  type  theory  is  conservative  over 
LF.  This  is  important  for  logical  framework  applications, 
since  previously  established  adequacy  theorems  for  encod¬ 
ings  will  continue  to  hold  in  the  modal  framework. 

7  Further  Developments  and  Potential  Appli¬ 
cations 

In  this  .section  we  consider  various  possible  further  de¬ 
velopments  and  potential  applications  of  our  ideas. 

7.1  Logical  Framework.s 

The  addition  of  inicnsional  expressions  and  irrelevant 
proofs  to  the  logical  framework  may  leads  to  more  direct 
and  more  compact  encodings  in  a  number  of  examples. 

First,  the  intcnsional  nature  of  expressions  constitutes  a 
weak  form  of  reflection:  arbitrary  LF  terms  are  accessible 
in  LF  without  regard  to  /^/-conversion.  At  present  we  do 
not  have  any  ccmcretc  applications  for  this  added  expressive 
power — the  primary  application  of  intcnsional  expressions 
we  have  in  mind  is  in  the  richer  setting  of  functional  pro¬ 
gramming  explained  in  Section  7.2  below. 

Second,  the  irrelevant  nature  of  proofs  can  be  used  to 
encode  similar  situations  in  object  theories,  which  is  quite 
frequent.  For  example,  in  an  encoding  of  linear  functions  in 
LF  we  often  have  to  deal  with  pairs  consisting  of  the  actual 
function  and  the  proof  certifying  its  linearity.  The  nature  t)f 
this  proof  is.  however,  irrelevant,  as  long  as  it  exists.  An 
encoding  of  this  kind  might  look  as  shown  below.  Here  we 
use  A  B  for  fl.riA.  B  where  x  docs  not  occur  in  B. 


rawferm 

:  type 

lorn 

:  {rawterm  — 

^  rawterm)  —>  ra:wtcr\ 

app 

rawterm  — > 

rawterm  -r  rawterm 

linear 

rawterm  — > 

type 

lintcrm 

TlE:rawtrrm.  TlL^linear  E.  type 

The  definitional  equality  at  type  lintcrm  now  ignores  the 
proofs  that  the  expressions  E  arc  indeed  linear.  A  simi¬ 
lar  situation  arises  in  the  encoding  of  object  languages  with 
subtyping,  where  often  all  proofs  of  subtype  relationships 
should  be  considered  equal.  The  logic  programming  inter¬ 
pretation  of  such  encodings  can  go  from  infeasible  to  practi¬ 
cal  if  all  choice  points  arc  discarded  after  the  first  proof  has 
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been  found.  Such  an  optimization  is  justified  by  our  modal 
type  theory  without  any  loss  of  soundness  or  completeness. 

Moreover,  the  Twelf  system  [21]  can  verify  automati¬ 
cally  that  type  families  (such  as  linear  or  one  implementing 
object-language  subtyping)  are  in  fact  decidable  using  mode 
and  termination  analysis  [22].  If  we  agree  that  irrelevant  ob¬ 
jects  need  not  be  shown  in  the  user  interface,  then  the  proofs 
of  type  linear  E  that  occur  in  linear  terms  actually  do  not 
need  to  be  represented  at  all,  leading  to  a  potentially  signif¬ 
icant  space  savings  that  may  be  critical  in  applications  such 
as  proof-carrying  code  [14]  and  certifying  decision  proce¬ 
dures  [23].  Another  situation  in  which  an  implementation 
may  mark  objects  as  irrelevant  is  if  they  are  uniquely  de¬ 
termined,  either  for  syntactic  [15]  or  semantic  [16]  reasons. 
While  our  modal  analysis  does  not  cover  all  of  these  op¬ 
timizations,  it  generalizes  some  of  the  core  ideas  from  a 
fragment  of  LF  to  the  full  type  theory. 

7.2  Functional  Programming 


to  reason  about  staged  programs.  Besides  a  natural  symme¬ 
try  between  intensionality  and  irrelevance  as  extreme  forms 
of  decidable  equality,  this  has  been  our  main  motivation  for 
developing  a  type  theory  that  simultaneously  supports  these 
concepts.  As  an  example,  consider  the  specification  of  a 
staged  power  function  (presuming  a  type  nat  and  a  propo¬ 
sitional  equality  =): 

Iln-.nat.  0(Jlb\nat.  'Em:nat.  m  =  6”)  :  type 

This  not  well-formed  because  the  term  variable  n  is  not 
available  in  the  expression  underneath  the  □  constructor. 
This  problem  is  neatly  solved  with  the  A  modality  as  fol¬ 
lows: 

h  Iln:nat.  □(Ilhinaf.  Hm:nat.  A(m  =  6"))  :  type 

This  further  specifies  that  the  correctness  proof  for  the 
staged  power  function  may  be  erased  before  execution  since 
it  is  computationally  irrelevant. 


Our  given  type  theory  is  fully  adequate  as  a  logical 
framework,  but  clearly  not  expressive  enough  to  develop 
verified  functional  programs  as  in  various  implementations 
of  type  theory  such  as  Nuprl  [4]  or  Coq  [6].  Besides  stan¬ 
dard  constructs  such  as  inductive  types  or  E-types  that  are 
orthogonal  to  our  considerations,  we  need  to  internalize  ex¬ 
pressions  and  proofs  as  modal  operators,  rather  than  just 
arguments  to  functions.  The  blueprint  for  such  an  integra¬ 
tion  for  expressions  has  been  given  in  prior  work  [5, 20],  the 
correct  notion  of  definitional  equality  in  the  presence  of  de¬ 
pendencies  was  the  main  missing  ingredient.  The  presence 
of  both  expressions  and  proofs  allows  a  new  twist.  We  show 
the  formation  and  introduction  rules  for  the  corresponding 
modal  operators,  expanding  the  derived  judgments: 


r®  f-  A  :  type 
r  I-  DA  :  type 
r®  h  A  :  type 
r  h  AA  :  type 


r®  h  M  :  A 
r  h  boxM  :  DA 

r®  h  M  :  A 
r  h  triM  :  AA 


7.3  First-Order  Intuitionistic  Modal  Logic 

If  we  consider  the  first-order  fragment  of  our  type  the¬ 
ory,  the  three  forms  of  Il-abstraction  correspond  to  three 
forms  of  universal  quantification.  In  terms  of  a  Kripke  se¬ 
mantics  with  varying  domains,  Ilx:  A.  B  quantifies  over  the 
elements  of  the  current  domain  only.  This  means,  for  ex¬ 
ample,  that  Ylx'.A.  DP{x)  is  only  well-formed  if  P  has 
kind  Ilx-^A.  type,  because  otherwise  the  truth  of  P{x) 
may  need  to  be  investigated  in  worlds  in  which  x  does 
not  exist.  Yet  it  is  still  possible  that  x  occurs,  even  if  P 
can  only  talk  about  elements  of  the  current  world,  as  in 
na;:A.  P{x)  □  AP(a:)  (which  is  true,  incidentally).  The 
quantifier  Tlx::A.  B  quantifies  over  elements  existing  in  all 
domains  and  thus,  in  general,  fewer  than  Ila-A.  B.  Finally, 
IIx-^A.  B  quantifies  over  all  elements  of  the  current  world 
and  also  elements  that  existed  in  some  past  world.  Thus  our 
approach  has  the  potential  to  shed  new  light  on  old  debates 
by  allowing  various  interpretations  of  quantification  to  co¬ 
exist  peacefully  in  a  single  modal  logic. 


The  elimination  rules  (especially  for  the  A  modality)  are 
unfortunately  quite  complex.  To  give  the  idea:  we  can  now 
represent,  for  example,  the  subset  type  as  a  proof-irrelevant 
version  of  the  the  strong  sum. 

{x:A  I  B}  =  Ea::A.  AS 

The  triangle  operator  appears  to  serve  the  same  purpose  as 
the  squash  type  in  [10],  except  here  it  derived  directly  from 
the  judgmental  level  rather  than  from  identity  types. 

If  our  operational  Interpretation  of  type  theory  is  based 
on  staged  computation  [5],  then  the  A  modality  is  necessary 


8  Conclusion 

We  have  presented  a  dependent  type  theory  that  inte¬ 
grates  intensionality,  extensionality,  and  proof  irrelevance 
as  judgmental  notions,  based  on  considerations  from  modal 
logic.  We  proved  that  equality  and  type-checking  are  de¬ 
cidable  on  the  fragment  presented  here  and  sketched  some 
possible  applications. 

The  most  pressing  item  of  future  work  is  the  inclusion 
of  first-class  modal  operators  important  for  applications  in 
functional  programming.  The  most  difficult  question  here 
is  the  right  notion  of  the  “default”  equality  on  terms.  In 
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this  paper,  the  term  equality  was  fully  extensional;  for  func¬ 
tional  programming  applications,  this  will  not  be  tenable 
and  must  be  replaced  by  a  decidable  judgmental  equality 
that  is  sound  with  respect  to  the  operational  semantics.  We 
conjecture  that  this  can  be  done  without  upsetting  the  “ex¬ 
treme”  equalities  of  expressions  and  proofs  for  which  there 
appears  to  be  little  leeway.  Furthermore,  some  type  theo¬ 
retic  constructs  such  as  universes  may  require  generaliza¬ 
tions  of  our  proof  techniques. 
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Abstract 

Program  termination  verification  is  a  challenging  re¬ 
search  subject  of  significant  practical  importance.  While 
there  is  already  a  rich  body  of  literature  on  this  subject,  it 
is  still  undeniably  a  dijficult  task  to  design  a  termination 
checker  for  a  realistic  programming  language  that  supports 
general  recursion.  In  this  paper,  we  present  an  approach  to 
program  termination  verification  that  makes  use  of  a  form  of 
dependent  types  developed  in  Dependent  ML( DML),  demon¬ 
strating  a  novel  application  of  such  dependent  types  to  es¬ 
tablishing  a  liveness  property.  We  design  a  type  system  that 
enables  the  programmer  to  supply  metrics  for  verifying  pro¬ 
gram  termination  and  prove  that  every  well-typed  program 
in  this  type  system  is  terminating.  We  also  provide  realistic 
examples,  which  are  all  verified  in  a  prototype  implemen¬ 
tation,  to  support  the  effectiveness  of  our  approach  to  pro¬ 
gram  termination  verification  as  well  as  its  unobtrusiveness 
to  programming.  The  main  contribution  of  the  paper  lies 
in  the  design  of  an  approach  to  program  termination  veri¬ 
fication  that  smoothly  combines  types  with  metrics,  yielding 
a  type  system  capable  of  guaranteeing  program  termination 
that  supports  a  general  form  of  recursion  (including  mutual 
recursion),  higher-order  functions,  algebraic  datatypes,  and 
polymorphism. 


1  Introduction 

Programming  is  notoriously  error-prone.  As  a  conse¬ 
quence,  a  great  number  of  approaches  have  been  developed 
to  facilitate  program  error  detection.  In  practice,  the  pro¬ 
grammer  often  knows  certain  program  properties  that  must 
hold  in  a  correct  implementation;  it  is  therefore  an  indication 
of  program  errors  if  the  actual  implementation  violates  some 
of  these  properties.  For  instance,  various  type  systems  have 
been  designed  to  detect  program  errors  that  cause  violations 
of  the  supported  type  disciplines. 

It  is  common  in  practice  that  the  programmer  often  knows 
for  some  reasons  that  a  particular  program  should  termi¬ 
nate  if  implemented  correctly.  This  immediately  implies 
that  a  termination  checker  can  be  of  great  value  for  detect¬ 
ing  program  errors  that  cause  nonterminating  program  ex- 
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ecution.  However,  termination  checking  in  a  realistic  pro¬ 
gramming  language  that  supports  general  recursion  is  often 
prohibitively  expensive  given  that  (a)  program  termination 
in  such  a  language  is  in  general  undecidable,  (b)  termination 
checking  often  requires  interactive  theorem  proving  that  can 
be  too  involved  for  the  programmer,  (c)  a  minor  change  in  a 
program  can  readily  demand  a  renewed  effort  in  termination 
checking,  and  (d)  a  large  number  of  changes  are  likely  to  be 
made  in  a  program  development  cycle.  In  order  to  design  a 
termination  checker  for  practical  use,  these  issues  must  be 
properly  addressed. 

There  is  already  a  rich  literature  on  termination  verifica¬ 
tion.  Most  approaches  to  automated  termination  proofs  for 
either  programs  or  term  rewriting  systems  (TRSs)  use  var¬ 
ious  heuristics,  some  of  which  can  be  highly  involved,  to 
synthesize  well-founded  orderings  (e.g.,  various  path  order¬ 
ings  [3],  polynomial  interpretation  [1],  etc.).  While  these 
approaches  are  mainly  developed  for  first-order  languages, 
the  work  in  higher-order  settings  can  also  be  found  (e.g., 
[7]).  When  a  program,  which  should  be  terminating  if  im¬ 
plemented  correctly,  cannot  be  proven  terminating,  it  is  of¬ 
ten  difficult  for  the  programmer  to  determine  whether  this 
is  caused  by  a  program  error  or  by  the  limitation  of  the 
heuristics  involved.  Therefore,  such  automated  approaches 
are  likely  to  offer  little  help  in  detecting  program  errors  that 
cause  nonterminating  program  execution.  In  addition,  auto¬ 
mated  approaches  often  have  difficulty  handling  realistic  (not 
necessarily  large)  programs. 

The  programmer  can  also  prove  program  termination  in 
various  (interactive)  theorem  proving  systems  such  as  NuPrl 
[2],  Coq  [4],  Isabelle  [8]  and  PVS  [9].  This  is  a  viable  prac¬ 
tice  and  various  successes  have  been  reported.  However,  the 
main  problem  with  this  practice  is  that  the  programmer  may 
often  need  to  spend  so  much  time  on  proving  the  termination 
of  a  program  compared  with  the  time  spent  on  simply  im¬ 
plementing  the  program.  In  addition,  a  renewed  effort  may 
be  required  each  time  when  some  changes,  which  are  likely 
in  a  program  development  cycle,  are  made  to  the  program. 
Therefore,  the  programmer  can  often  feel  hesitant  to  adopt 
(interactive)  theorem  proving  for  detecting  program  errors  in 
general  programming. 

We  are  primarily  interested  in  finding  a  middle  ground.  In 
particular,  we  are  interested  in  forming  a  mechanism  in  a  pro¬ 
gramming  language  that  allows  the  programmer  to  provide 
key  information  needed  for  establishing  program  termination 
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fun  ack  m  n  = 

if  m  =  0  then  n+1 

else  if  n  =  0  then  ack  (m-1)  1  else  ack  (m-1)  (ack  m  (n-1)) 
withtype  { i : nat , j : nat }  <i,j>  =>  int(i)  ->  int(j)  ->  [k:nat]  int(k) 

Figure  1.  An  implementation  of  Ackerman  function 


and  then  automatically  verifies  that  the  provided  information 
indeed  suffices.  An  analogy  would  be  like  allowing  the  user 
to  provide  induction  hypotheses  in  inductive  theorem  prov¬ 
ing  and  then  proving  theorems  with  the  provided  induction 
hypotheses.  Clearly,  the  challenging  question  is  how  such 
key  information  for  establishing  program  termination  can  be 
formalized  and  then  expressed.  The  main  contribution  of  this 
paper  lies  in  our  attempt  to  address  the  question  by  present¬ 
ing  a  design  that  allows  the  programmer  to  provide  through 
dependent  types  such  key  information  in  a  (relatively)  simple 
and  clean  way. 

It  is  common  in  practice  to  prove  the  termination  of  recur¬ 
sive  functions  with  metrics.  Roughly  speaking,  we  attach  a 
metric  in  a  well-founded  ordering  to  a  recursive  function  and 
verily  that  the  metric  is  always  decreasing  when  a  recursive 
function  call  is  made.  In  this  paper,  we  present  an  approach 
that  u.scs  the  dependent  types  developed  in  DML  [1 8,  14]  to 
carry  metrics  for  proving  program  termination.  We  form  a 
type  system  in  which  metrics  can  be  encoded  into  types  and 
prove  that  every  well-typed  program  is  terminating.  It  should 
be  emphasized  that  we  arc  not  here  advocating  the  design 
of  a  programming  language  in  which  only  terminating  pro¬ 
grams  can  be  written.  Instead,  we  are  interested  in  designing 
a  mechanism  in  a  programming  language,  which,  if  the  pro¬ 
grammer  chooses  to  use  it,  can  facilitate  program  termination 
verification.  This  is  to  be  manifested  in  that  the  type  system 
we  form  can  be  smoothly  embedded  into  the  type  system  of 
DML.  We  now  illustrate  the  basic  idea  with  a  concrete  exam¬ 
ple  before  going  into  further  details. 

In  Figure  I,  an  implementation  of  Ackerman  function  is 
given.  The  withtype  clause  is  a  type  annotation,  which 
states  that  for  natural  numbers  i  and  j,  this  function  takes 
an  argument  of  type  int(z)  and  another  argument  of  type 
int(j)  and  returns  a  natural  number  as  a  result.  Note  that 
we  have  refined  the  usual  integer  type  int  into  infinitely 
many  singleton  types  int(o)  for  a  =  0, 1, -1, 2, -2, . . . 
such  that  int(o,)  is  precisely  the  type  for  integer  expres¬ 
sions  with  value  equal  to  a.  We  write  {i  :nat,  j  :nat} 
for  universally  quantifying  over  index  variables  i  and  j  of 
sort  nat,  that  is,  the  sort  for  index  expressions  with  values 
being  natural  numbers.  Also,  we  write  [k:nat]  int  (k) 
for  E/c  :  nat.int(k),  which  represents  the  sum  of  all  types 
int{k)  tor  fc  =  0, 1, 2, . . ..  The  novelty  here  is  the  pair  (i.j) 
in  the  type  annotation,  which  indicates  that  this  is  the  met¬ 
ric  to  be  used  for  termination  checking.  We  now  informally 
explain  how  termination  checking  is  performed  in  this  case; 
assume  that  i  and  j  are  two  natural  numbers  and  m  and  n 
have  types  int(j)  and  int(y),  respectively,  and  attach  the 
metric  {i,j)  to  ack  m  n;  note  that  there  are  three  recursive 
function  calls  to  ack  in  the  body  ot'  ack;  we  attach  the  met¬ 


ric  (i  -  1, 1)  to  the  first  ack  since  m-1  and  1  have  types 
int(?'  —  1)  and  int(l),  respectively;  similarly,  we  attach  the 
metric  {i  —  l,k)  to  the  second  ack,  where  k  is  assumed  to 
be  some  natural  number,  and  the  metric  (i,  j  -  1)  to  the  third 
act,  it  is  obvious  that  {i  -  1, 1)  <  {i,j),  {i  -l,k)  <  {i,j) 
iind  (i.j  -  1)  <  (i, j)  hold,  where  <  is  the  usual  lexico¬ 
graphic  ordering  on  pairs  of  natural  numbers;  we  thus  claim 
that  the  function  ack  is  terminating  (by  a  theorem  proven  in 
this  paper).  Note  that  although  this  is  a  simple  example,  its 
termination  cannot  be  proven  with  (lexicographical)  struc¬ 
tural  ordering  (as  the  .semantic  meaning  of  both  addition  -H 
and  subtraction  —  is  needed).' 

More  realistic  examples  arc  to  be  presented  in  Sec¬ 
tion  5,  involving  dependent  datatypes  [15],  mutual  recursion, 
higher-order  functions  and  polymorphism.  The  reader  may 
read  some  of  these  examples  before  studying  the  sections  on 
technical  development  so  as  to  get  a  feel  as  to  what  can  actu¬ 
ally  be  handled  by  our  approach. 

Combining  metrics  with  the  dependent  types  in  DML 
poses  a  number  of  theoretical  and  pragtnatic  questions.  We 
briefly  outline  our  results  and  design  choices. 

The  first  question  that  arises  is  to  decide  what  metrics  we 
should  support.  Clearly,  the  variety  of  metrics  for  establish¬ 
ing  program  termination  is  endless  in  practice.  In  this  pa¬ 
per.  we  only  consider  metrics  that  arc  tuples  of  index  expres¬ 
sions  of  sort  not  and  use  the  usual  lexicographic  ordering 
to  compare  metrics.  The  main  rca.sons  for  this  decision  are 
that  (a)  such  tnctrics  arc  commonly  used  in  practice  to  estab¬ 
lish  termination  proofs  for  a  large  variety  of  programs  and 
(b)  constraints  generated  from  comparing  such  metrics  can 
be  readily  handled  by  the  constraint  solver  already  built  for 
typc-chccking  DML  programs.  Note  that  the  usual  structural 
ordering  on  first-order  terms  can  be  obtained  by  attaching  to 
the  term  the  number  of  constructors  in  the  term,  which  can  be 
readily  accomplished  by  using  the  dependent  datatype  mech¬ 
anism  in  DML.  However,  we  arc  currently  unable  to  capture 
structural  ordering  on  higher-order  terms. 

The  second  question  is  about  establishing  the  soundness 
of  our  approach,  that  is,  proving  every  well-typed  program 
in  the  type  .system  we  design  is  terminating.  Though  the  idea 
mentioned  in  the  example  of  Ackerman  function  .seems  intu¬ 
itive,  this  task  is  far  from  being  trivial  because  of  the  pres¬ 
ence  of  higher-order  functions.  The  reader  may  take  a  look 
at  the  higher-order  example  in  Section  5  to  undcr.stand  this. 
We  seek  a  method  that  can  be  readily  adapted  to  handle  var¬ 
ious  common  programming  features  when  they  are  added, 

'There  is  an  inipIeTiient.ition  of  Ackerman  function  th.at  invotve.s  only 
primitive  recursion  and  can  thus  he  e.isily  proven  terminating,  but  the  point 
we  drive  here  is  th.at  this  particular  implementation  c.an  be  proven  terminat¬ 
ing  with  our  approach. 
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including  mutual  recursion,  datatypes,  polymorphism,  etc. 
This  naturally  leads  us  to  the  reducibility  method  [12].  We 
are  to  form  a  notion  of  reducibility  for  the  dependent  types 
extended  with  metrics,  in  which  the  novelty  lies  in  the  treat¬ 
ment  of  general  recursion.  This  formation,  which  is  novel  to 
our  knowledge,  constitutes  the  main  technical  contribution 
of  the  paper. 

The  third  question  is  about  integrating  our  termination 
checking  mechanism  with  DML.  In  practice,  it  is  common 
to  encounter  a  case  where  the  termination  of  a  function  /  de¬ 
pends  on  the  termination  of  another  function  g,  which,  unfor¬ 
tunately,  is  not  proven  for  various  reasons,  e.g.,  it  is  beyond 
the  reach  of  the  adopted  mechanism  for  termination  check¬ 
ing  or  the  programmer  is  simply  unwilling  to  spend  the  effort 
proving  it.  Our  approach  is  designed  in  a  way  that  allows  the 
programmer  to  provide  a  metric  in  this  case  for  verifying  the 
termination  of  f  conditional  on  the  termination  of  g,  which 
can  still  be  useful  for  detecting  program  errors. 

The  presented  work  builds  upon  our  previous  work  on  the 
use  of  dependent  types  in  practical  programming  [18,  14]. 
While  the  work  has  its  roots  in  DML,  it  is  largely  unclear, 
a  priori,  how  dependent  types  in  DML  can  be  used  for  es¬ 
tablishing  program  termination.  We  thus  believe  that  it  is  a 
significant  effort  to  actually  design  a  type  system  that  com¬ 
bines  types  with  metrics  and  then  prove  that  the  type  sys¬ 
tem  guarantees  program  termination.  This  effort  is  further 
strengthened  with  a  prototype  implementation  and  a  variety 
of  verified  examples. 

The  rest  of  the  paper  is  organized  as  follows.  We  form 
a  language  ML^*’^  in  Section  2,  which  essentially  extends 
the  simply  typed  call-by-value  A-calculus  with  a  form  of  de¬ 
pendent  types,  developed  in  DML,  and  recursion.  We  then 
extend  MLg to  MLq in  Section  3,  combining  metrics 
with  types,  and  prove  that  every  program  in  MLq is  termi¬ 
nating.  In  Section  4,  we  enrich  MLq with  some  significant 
programming  features  such  as  datatypes,  mutual  recursion 
and  polymorphism.  We  present  some  examples  in  Section  5, 
illustrating  how  our  approach  to  program  termination  verifi¬ 
cation  is  applied  in  practice.  We  then  mention  some  related 
work  and  conclude. 

There  is  a  full  paper  available  on-line  [16]  in  which  the 
reader  can  find  details  omitted  here. 

2  MLo’^ 

We  start  with  a  language  MLg which  essentially  ex¬ 
tends  the  simply  typed  call-by-value  A-calculus  with  a  form 

of  dependent  types  and  (general)  recursion.  The  syntax  for 

n  s 

MLg  ’  is  given  in  Figure  2. 

2.1  Syntax 

We  fix  an  integer  domain  and  restrict  type  index  expres¬ 
sions,  namely,  the  expressions  that  can  be  used  to  index  a 
type,  to  this  domain.  This  is  a  sorted  domain  and  subset  sorts 
can  be  formed.  For  instance,  we  use  nat  for  the  subset  sort 


{a  :  int  |  a  >  0}.  We  use  5(1)  for  a  base  type  indexed  with 
a  sequence  of  index  expressions  which  may  be  empty.  For 
instance,  bool(O)  and  bool(l)  are  types  for  boolean  values 
false  and  true,  respectively;  for  each  integer  i,  int(i)  is  the 
singleton  type  for  integer  expressions  with  value  equal  to  i. 

We  use  (j)  1=  P  for  a  satisfaction  relation,  which  means 
P  holds  under  (p,  that  is,  the  formula  ((/>)P,  defined  below,  is 
satisfied  in  the  domain  of  integers. 

(■)$  =  $  {(p,a  \  =  {(pfia  ; 

{(p,  a  :  {o  :  7  I  P})$  =  ip,a:  j){P  D  $) 

((/.,P)$  =  (0)(PD$) 

For  instance,  the  satisfaction  relation 

a  :  nat,  O7^0|=a  —  1>0 

holds  since  the  following  formula  is  true  in  the  integer  do¬ 
main. 

Va  :  int.a  >0D(a7^0Do  —  1>0) 

Note  that  the  decidability  of  the  satisfaction  relation  depends 
on  the  constraint  domain.  For  the  integer  constraint  domain 
we  use  here,  the  satisfaction  relation  is  decidable  (as  we  do 
not  accept  nonlinear  integer  constraints). 

We  use  Do  :  7.r  and  Ea  :  7.r  for  the  usual  depen¬ 
dent  function  and  sum  types,  respectively.  A  type  of  form 
Ha  :  7.T  is  essentially  equivalent  to  IIoi  :  7i  . . .  lia„  :  '/n.r, 
where  we  use  a  :  7  for  oi  :  71 , . . . ,  a„  :  j„.  -  We  also  in¬ 
troduce  A-variables  and  p- variables  in  MLg and  use  x  and 
/  for  them,  respectively.  A  lambda-abstraction  can  only  be 
formed  over  a  A-variable  while  recursion  (via  fixed  point  op¬ 
erator)  must  be  formed  over  a  p- variable.  A  A-variable  is  a 
value  but  a  p- variable  is  not. 

We  use  A  for  abstracting  over  index  variables,  lam  for  ab¬ 
stracting  over  variables,  and  fun  for  forming  recursive  func¬ 
tions.  Note  that  the  body  after  either  A  or  fun  must  be  a 
value.  We  use  (i  |  e)  for  packing  an  index  i  with  an  expres¬ 
sion  e  to  form  an  expression  of  a  dependent  sum  type,  and 
open  for  unpacking  an  expression  of  a  dependent  sum  type. 

2.2  Static  Semantics 

We  write  F  r  :  *  to  mean  that  r  is  a  legally  formed  type 
under  <p  and  omit  the  standard  rules  for  such  judgments. 

index  substitutions  Oj  ::=  []\9i[ai-^i] 

substitutions  9  ::=  []  j  9[x  i-)-  e]  |  9[f  i->-  e] 

A  substitution  is  a  finite  mapping  and  []  represents  an  empty 
mapping.  We  use  9j  for  a  substitution  mapping  index  vari¬ 
ables  to  index  expressions  and  dom(0/)  for  the  domain  of 
9r.  Similar  notations  are  used  for  substitutions  on  variables. 
We  write  •[0/]  ("[^j)  for  the  result  from  applying  9i  (9)  to 
•,  where  •  can  be  a  type,  an  expression,  etc.  The  standard 

^In  practice,  we  also  have  types  of  form  Ea  :  7.T,  which  we  omit  here 
for  simplifying  the  presentation. 
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index  constants  c; 

index  expressions  i 

index  propositions  P 

index  sorts  7 

index  variable  contexts  0 
index  constraints  $ 

types  r 

contexts  r 

constants  c 

expressions  e 

values  V 


::=  a  I  c/  I  r'l  +  12  I  ii  -  1*2  |  *i  *  *2  |  h/h 

::=  ii  <  i2  I  ii  <  12  |  >  *2  I  *i  >  h  \  ii  =  *2  |  *1  7^  *2  |  A  A  P2  1  -Pi  V  P2 

int  |  {o  :  7  |  P} 

::=  •  I  <?!>,  a  :  7  I  (;/),  P 

P  I  P  D  $  I  Va  :  7.$ 

::=  (5(i)  1  Ha  :  7.r  |  :  7.T 

" —  *  I  TjX  I T I  ^  *  T" 

::=  true  |  false  |  0  |  1  |  —  1  |  2  |  —2  |  ■ 

::=  c  1  3;  I  /  I  if (e,  ci ,  62)  |  Aa  ;  j.v  \  lam  x\T.e\  ei  (62)  | 

fun  f[a  :  7]  :  r  is  u  I  e[T]  I  {i  |  e)  |  open  e\  as  {a  \  x)  in  62 
c  I  a;  I  Aa  :  7.11  |  lam  a:  :  r.e  |  {i  \  v) 


Figure  2.  The  syntax  for  MLq 


0;  r  I-  e  :  ri  0  h  ti  =  r2 

0;  r  h  e  :  r2 

0,  a  :  7;  r  h  u  :  r 


(type-eq) 


r(a:)  =  r 


(type-A-var) 


r(/)  = 


(type-ilam) 


0;ri-a::r'‘"”  '  0;ri-/;r 

0;  r  I-  e  :  Ha  :  7.r  0  h  r :  7 


(type-p-var) 


0;  r  h  Aa  :  7,1;  :  Iln  :  7.T  '  ''**  ^  0;  T  h  e[i]  :  r[a  >-4  I] 

0,  a  :  7;  r,  /  ;  Ila  :  7.r  h  t'  :  r  ,  „  , 

— ^ ^  (type-fun) 
0;  r  h  fun  f[n  :  7J  :  r  is  t;  :  11a  :  y  .r 

0;  r  h  e  :  bool(«)  0,  ?'  =  1;  F  h  Ci  :  r  0,  ?'  =  0;  F  I-  C2  :  r 


(type-iapp) 


0;  F,  .r  :  Ti  e  :  T-t 


0;  F  1-  lam  x  :  Ti.p  :  Ti  -4  r2 
0;  F  h  Pi  :  Ea  ;  7.T1  0,  n  :  7;  F,  a:  :  Ti  h  C2  :  r2 
0;  F  I-  open  Ci  as  {a  \  x)  in  c  >  :  t-> 


0;  F  h  if((’,  Cl ,  Co)  :  r 

0;  F  h  Cl  :  Ti 
(typc-lam)  - 


(type-if) 

T->  0;  F  h  Co  :  Ti 


(type-open) 


0;  F  h  C]  (€2)  :  To 

01-1:7  0;  F  h  e  :  T[n  h4  i] 


0;  F  h  (i  I  e)  :  Ea  :  j.r 


(type-app) 

(type-pack) 


Figure  3.  Typing  Rules  for  ML”  ^ 


definition  is  omitted.  The  following  rules  arc  for  judgments 
of  form  01-0/:  0',  which  rouuhly  means  that  0/  has  “type” 
0'. 


(sub-i-empty) 


0h[]: 

0  1-  0/  :  0'  0  h  1  :  7[0/] 
0  h  0/[«  t-4  i]  :  0',  a  :  7 
(j>\-  61  :  (f)'  0  [=  P[0/] 
0h0/  :0',P 


(sub-i-var) 


(sub-i-prop) 


We  write  dom(F)  for  the  domain  of  F,  that  is,  the  set  of 
variables  declared  in  F.  Given  substitutions  0/  and  0,  W'c  say 
0;  F  h  (0/;  0)  :  (0';  F')  holds  if  0  (-  0/  :  0'  and  dom(0)  = 
dom(F')  and  0;r  b  0{x)  :  F'(a;)[0/]  for  all  x  G  dom(F'). 

We  write  0  |=  r  =  r'  for  the  congruent  extension  of 
0  1=  i  =  y  from  index  expressions  to  types,  determined  by 
the  following  rules.  It  is  the  application  of  thc.se  rules  that 


generates  constraints  during  type-checking. 

0  N  »'  =  i  0  1=  t|  =  Tl  0  1=  T2  =  T2 
0  t=  S{i)  =  6{j)  0  1=  n  -4  T2  =  r j  ->  T2 

0,  a  :  7  1=  T  =  r'  0,  a  :  7  [=  r  =  r' 

0  1=  Ila  :  7.T  =  Ha  :  j.t'  0  |=  En  :  7.T  =  Ea  :  7.r' 

ns* 

We  present  the  typing  rules  for  MLg  '  in  Figure  3.  Some 
of  these  rules  have  obvious  side  conditions,  which  arc  omit¬ 
ted.  For  instance,  in  the  rule  (type-ilam),  a  cannot  have  free 
occurrences  in  F.  The  following  lemma  plays  a  pivotal  role 
in  proving  the  subject  reduction  theorem  for  MLq whose 
standard  proof  is  available  in  [14]. 

Lemma  2.1  Assume  0,0';  F,F'  \-  e  :  t  is  derivable  and 
0;  F  h  {6/;9)  :  holds.  Then  we  can  derive  0;  F  h 

e[0/][0]  :  r[0/]. 
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2.3  Dynamic  Semantics 

n  S 

We  present  the  dynamic  semantics  of  MLg  ’  through  the 
use  of  evaluation  contexts  defined  below.  Certainly,  there  are 
other  possibilities  for  this  purpose,  which  we  do  not  explore 
here. 

evaluation  contexts  E  ::= 

[]\if{E,eue2)\E[^\E{e)\v{E)\ 

(i  I  E)  I  open  £  as  (a  |  x)  in  e 

We  write  E[e\  for  the  expression  resulting  from  replacing 
the  hole  []  in  E  with  e.  Note  that  this  replacement  can  never 
result  in  capturing  free  variables. 

Definition  2.2  A  redex  is  defined  below. 

•  if(c,  61,62)  are  redexes  for  c  =  true,  false,  which  re¬ 
duce  to  61  and  62,  respectively. 

•  (lam  X  :  T.e){v)  is  a  redex,  which  reduces  to  e\x  !-)■  n]. 

•  Let  e  be  fun  /[a  :  7]  :  r  is  ?;  Then  e  is  a  redex,  which 
reduces  to  Xa  :  7.t;[/  i-4  e]. 

•  (Aa  :  7.n)[I]  is  a  redex,  which  reduces  to  ti[a  1-4  1], 

•  open  {i  I  v)  as  (a  |  3:)  in  e  is  a  redex,  which  reduces 

to  e[a  !->■  i][a;  n]. 

We  use  r  for  a  redex  and  write  r  e  if  r  reduces  to  e.  If 
61  =  E[r],  6-2  =  E[e]  and  r  ^  e,  we  write  ei  eo  and  say 
61  reduces  to  eo  in  one  step. 

Let '— >*  be  the  reflexive  and  transitive  closure  of  ‘-4.  We  say 
61  reduces  to  62  (in  many  steps)  if  ei  '-4*  62.  We  omit  the 
standard  proof  for  the  following  subject  reduction  theorem, 
which  uses  Lemma  2.1. 

Theorem  2.3  (Subject  Reduction)  Assume  e  :  t  is 

derivable  in  MLg’^.  If  e  e' ,  then  h  e'  :  r  is  also 
derivable  in 

2.4  Erasure 

We  can  simply  transform  MLq into  a  language  MLq 

by  erasing  all  syntax  related  to  type  index  expressions  in 
n 

MLq  ’  .  Then  MLq  basically  extends  simply  typed  A- 
calculus  with  recursion.  Let  |e|  be  the  erasure  of  expression 
6.  We  have  ei  reducing  to  62  in  MLg implies  |ei|  reduc¬ 
ing  to  |e2|  in  MLq.  Therefore,  if  e  is  terminating  in  MLg’^ 
then  [ej  is  terminating  in  MLq.  This  is  a  crucial  point  since 

o  s 

the  evaluation  of  a  program  in  MLg  ’  is  (most  likely)  done 
through  the  evaluation  of  its  erasure  in  MLq.  Please  find 
more  details  on  this  issue  in  [18,  14]. 

■’For  instance,  it  is  suggested  that  one  present  the  dynamic  semantics  in 
the  style  of  natural  semantics  and  then  later  form  the  notion  of  reducibility 
for  evaluation  rules. 


3  ML^j; 

We  combine  metrics  with  the  dependent  types  in  MLg 
forming  a  language  MLg  [g.  We  then  prove  that  every  well- 

typed  program  in  MLg  is  terminating,  which  is  the  main 
technical  contribution  of  the  paper. 

3.1  Metrics 

We  use  <  for  the  usual  lexicographic  ordering  on  tuples 
of  natural  numbers  and  <  for  the  strict  part  of  <.  Given 
two  tuples  of  natural  numbers  (I'l, . . .  ,i„)  and  {i[, . . . 

<  (j'l, ...  holds  if  n  =  n' and  for  some 
0  <  k  <  n,  ij  =  z'  for  _)  =  1, . . . ,  fc  -  1  and  ik  <  i'^.  Evi¬ 
dently,  <  is  a  well-founded.  We  stress  that  (in  theory)  there 
is  no  difficulty  supporting  various  other  well-founded  order¬ 
ings  on  natural  numbers  such  as  the  usual  multiset  ordering. 
We  fix  an  ordering  solely  for  easing  the  presentation. 

Definition  3.1  (Metric)  Let  p  —  {ii, . . .  ,i„)  be  a  tuple  of 
index  expressions  and  (p  be  an  index  variable  context.  We 
say  p  is  a  metric  under  if  cp  \-  ij  :  nat  are  derivable  for 
j  =  \, . . .  ,n.  We  write  (p\-  p  :  metric  to  mean  p  is  a  metric 
under  (p. 

A  decorated  type  in  MLg is  of  form  Ila  :  y.p  =>  t,  and 
the  following  rule  is  for  forming  such  types. 

<p,a  :  y  T  :  *  (p,a  :  y  \-  p  :  metric 
(p  h  Do  :  y.p  =>  r  :  * 

The  syntax  of  AILg is  the  same  as  that  of  MLg except 
that  a  context  E  in  MLg  maps  every  p- variable  /  in  its  do¬ 
main  to  a  decorated  type  and  a  recursive  function  in  MLg 
is  of  form  fun  /[a  if]  :  p  t  is  v.  The  process  of 
translating  a  source  program  into  an  expression  in  MLg  is 
what  we  call  elaboration,  which  is  thoroughly  explained  in 
[18,  14],  Our  approach  to  program  termination  verification 
is  to  be  applied  to  elaborated  programs. 

3.2  Dynamic  and  Static  Semantics 

The  dynamic  semantics  of  MLg is  formed  in  precisely 

the  same  manner  as  that  of  MLg and  we  thus  omit  all  the 
details. 

The  difference  between  MLg  and  MLg lies  in  static 
semantics.  There  are  two  kinds  of  typing  judgments  in 
MLg which  are  of  forms  0;  E  h  e  :  r  and  0;  E  h  e  :  t  C/ 
Pq.  We  call  the  latter  a  metric  typing  judgment,  for  which 
we  give  some  explanation.  Suppose  0;  E  h  6  :  r  <C/  po 
and  E(/)  =  Ila  :  y.p  =>  r;  roughly  speaking,  for  each 
free  occurrence  of  /  in  6,  /  is  followed  by  a  sequence  of 
index  expressions  [i]  such  that  p[d  1-4  i],  which  we  call 
the  label  of  this  occurrence  of  /,  is  less  than  po  under  0. 
Now  suppose  we  have  a  well-typed  closed  recursive  function 
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e  =  fun  f  [a  :  j]  :  fj,  =>  T  is  V  in  MLq and  Tare  of  sorts  7; 
then  /[!][/  1-4  e]  =  e[I]  '— >■*  v[a  >->■  !][/  1-4  e]  holds;  by  the 
rule  (type-fun),  we  know  that  all  labels  of  /  in  v  are  less  than 
//[a  i->  i],  which  is  the  label  of  /  in  /[i];  since  labels  cannot 
decrease  forever,  this  yields  some  basic  intuition  on  why  all 
n  E 

recursive  functions  in  MLq  are  terminating.  However,  this 
intuitive  argument  is  difficult  to  be  formalized  directly  in  the 
presence  of  high-order  functions. 

The  typing  rules  in  MLq for  a  judgment  of  form  T  h 

II  S 

e  ;  r  arc  essentially  the  same  as  those  in  MLq  '  except  the 
following  ones. 


r(/)  =  Iln  :  7./1  =>  r 


(type-p-var) 


0;  r  h  /  ;  Ha  ;  7.r 

0,a  :  7;r,/ :  M  :  7./i  =>  r  h  u  :  r  <C/ p 

— - 7F . - - - ; - 7,-7-  (type-fun) 

0;  1  h  tun  f[a  :  7J  ;  p  =>  t  is  u  :  n«  :  -y.r 


1 .  T  is  a  base  type.  Then  e  is  reducible. 

2.  r  =  Ti  T2.  Then  e  is  reducible  if  e(Di)  arc  reducible 
for  all  reducible  values  Vi  of  type  r. 

3.  r  =  Ilfl  :  7.ri.  Then  e  is  reducible  if  c[I]  arc  reducible 
for  all  r :  7. 

4.  r  =  Efl  :  7.ri.  Then  e  is  reducible  if  v  =  {i  \  Wi)  for 
some  i  and  vi  such  that  vi  is  a  reducible  value  of  type 
Ti  [a  1-^  i] . 

Note  that  rcducibility  is  only  defined  for  closed  expressions 
that  reduce  to  values. 

Proposition  3.6  Assume  that  e  is  a  closed  expression  of  type 
T  and  e  e'  holds.  Then  e  is  reducible  if  and  only  if  e'  is 
reducible. 


We  present  the  rules  for  deriving  metric  typing  judgments  in 
Figure  4.  Given  p  =  (i, , . . . ,  and  p'  =  (ij , . . . ,  f;,), 
0  [=  p  <  p'  means  that  for  some  1  <  k  <  n,  — 
i'l, . . .  ,ij-\  =  i'_]  1=  ij  <  i'j  arc  satisfied  for  all  1  <  j  <  ^' 
and  0,  ii  |=  i*.  <  if  is  also  satisfied. 

Lemma  3.2  We  have  the  following. 

1.  Assume  0,0';  r,r'  h  e  :  r  is  derivable  and  0;  T  f- 
{6i\9)  :  (0';r')  holds.  Then  u'c  can  derive  0:  T  F 
c[0,][9]  :  r[9j]. 

2.  Assume  h  c  :  r  <?;/  //  is  derivable  and 

0;  r  h  {9i;9)  :  holds  and  f  €  domjT).  Then 

we  can  derive  (j>\  T  h  c[9i][9]  :  t[9i\  /  p[9i]. 

Proof  (1)  and  (2)  arc  proven  simultaneously  by  struc¬ 
tural  induction  on  derivations  of  0,0'; T.T'  F  e  :  r  and 
0,  0';  r,  T'  F  c  :  r  //,,  respectively.  ■ 

Theorem  3.3  (Subject  Reduction)  Assume  h  e  :  t  is 
derivable  in  If  c  e',  then  F  c'  :  t  is  also 

derivable  in  MLg 

Obviously,  we  have  the  following. 

Proposition  3.4  Assume  that  V  is  a  derivation  0;  T  F  r  : 
T  do-  Then  then  there  is  a  derivation  0/  0;  T  F  0  :  r 
with  the  .same  heighd  as  V. 


Proof  By  induction  on  the  complexity  of  r.  ■ 

The  following  is  a  key  notion  for  handling  recursion, 
which,  though  natural,  requires  some  technical  insights. 

Definition  3.7  ( p-Reducibility).  Let  e  be  a  well-typed  closed 
recursive  function  fun  f[d  :  f]  :  p  =>  t  is  v  and  po  be  a 
closed  metric,  e  is  po-reducible  (/  f’[i]  are  reducible  for  all 
r :  y  sati.sfying  //[f7  I]  <  p^. 

Definition  3.8  Let  9  be  a  substitution  that  maps  variables  to 
expressions;  for  cvciy  .r  €  dom(0).  9  is  .r-reducible  if9{:r.) 
is  reducible:  for  every  f  £  dom(^),  9  is  (/,  p  f)-reducible  if 
9(f)  is  pf -reducible. 

In  some  sense,  the  following  lemma  verifies  whether  the 
notion  of  redueibility  is  formed  correctly,  where  the  difficulty 
probably  lies  in  its  formulation  rather  than  in  its  proof. 

Lemma  3.9  (Main  Lemma)  Assume  that  ((pF  F  r.  :  rand 
■  F  (9i\9)  :  (0;  T)  are  derivable.  Also  assume  that  9 
is  x-reducible  for  every  .r  £  domjT)  and  for  every  f  £ 
dom(r).  sTj^/]  F  (’[9i]  :  t[9j]  pj  is  derivable  and  9 
is  if.  ft f)-reducible.  Then  ('[9i][9]  is  reducible. 

Proof  Let  V  be  a  derivation  of  0;  T  F  c  :  r  and  we  pro¬ 
ceed  by  induction  on  the  height  of  T>.  We  present  the  most 
interesting  case  below.  All  other  cases  can  be  found  in  [  16). 
Assume  that  the  followinc  rule  (type-fun)  is  last  applied  in 
V. 


3.3  Redueibility 

We  define  the  notion  of  rcducibility  for  well-typed  closed 
expressions. 

Definition  3.5  (Redueibility)  Suppose  that  e  is  a  closed  c.v- 
pression  of  type  r  and  e  '— >*  ?;  holds  for  some  value  v.  The 
redueibility  of  c  is  defined  by  induction  on  the  complexity  of 

T. 

■'For  a  minor  lechnicality  reason,  we  count  neither  of  the  rules 
(type-p-var)  and  (<g;-p-var)  when  calculating  the  height  of  a  derivation. 


0,r7i  :  7i;r,/i  :  Iffti  :  fix -Pi  Fi  F  tp  :  n  //] 

0;  r  F  fun  fi  [fij  :  71]  :  //i  =>  Ti  is  I’l  :  ri(7i  :  71  .Tj 

where  we  have  e  =  fun  /i[f7i  :  71]  :  //j  =>  ri  is  tt] 
and  T  =  nHx  '■  7i -Ti  .  Suppose  that  c*  =  e[0/][^]  is 
not  reducible.  Then  by  definition  there  exist  Tq  :  7*  such 
that  e*[ro]  is  not  reducible  but  c*[i]  arc  reducible  for  all 
r  ;  7i  satisfying  i->  i]  <  /rj[(7i  t->  Tq],  where 

7,*  =  7i[^/]  and  //*  =  /ii[9/].  In  other  words,  e*  is  //./,- 
reducible  for  pf^  =  p\[di  To],  Note  that  we  can  derive 
•;r[(9;],/i  :  nr7i  :  fil.Txfii]  F  Vx[9i[dx  hi]]  :  Ti[6'/[r7i  1-^ 
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(^-A-var) 


r(*)  =  >■  ,  „  ,  >  ri/O  =  r  hit  f 

irhx:r«,Mo  .»;rhA:r«,w 

4>;T\-  e:  bool(^)  fip  (j),i  =  l;r  h  ei  :  r  </  hq  =  0;  T  h  62  :  r  </ (Uq 

(/);r  I-  if(e, 61,62)  :t  <tif  Ho 

g  :  7;  r  h  :  r  </  /ip  <?!>;  T  h  6  :  Ha  :  f.r  po  <?!>l-r:7 

(?i;r  h  Aa  :  7.V  :  Da  :  f.r  -C/  /ip  ^  '*  ?!>;  T  h  6[i]  :  T[g  i->  i]  C/  /xp 


(«-if) 


(<C-iapp) 


r,  a:  :  n  h  6  :  r2  «:/  /ip 


«-lam) 


0;  r  h  61  :  Ti  -7  r2  /ip  </>;  F  h  62  :  ri  Cy  /ip 


0;r  h  lama;  :  Ti.6  :  ri  ^  T2  </ /ip  ‘  ?!';r  h  61(62)  :  r2  /ip 

<P,ai  :  7i ;  r,  /i  :  Ilai  :  Hi  ^  7i  n  vi  :  n  hi 

_ :  7i;F,/i  :  Ilai  :  -fi.n  h  61  :  ri  <Cy  /ip 

(?i;  r  h  fun  /i  [ai  :  71]  :  /ii  ri  is  lii  :  Ilai  ;  71  .ri  <C/  /ip 
^  f-  T:  7  (/i  1=  /i[a  i]  <  /ip  r(/)  =  Ila  :  f./i  r  ^ 
.^;r!-/[i]:r[a^I]«y/io 
</)  h  i  :  7  r  F  6  :  r[a  i]  <y  /ip 
0;rh(i  |6):Ea:7.r«y  /ip 

/z!>;  r  h  61  :  Eg  :  7.ri  /ip  (/.,a  :  7;r,a: :  n  F  62  :  T2  <^f  /ip 

0;  r  F  open  61  as  (a  |  x)  in  62  :  r2  </  /ip  ” 


«-app) 


(«:-lab) 


(<C-pack) 


(<-open) 


Figure  4.  Metric  Typing  Rules  for  MLp 


rp]]  <^f  /i/i .  By  Proposition  3.4,  there  is  a  derivation  T>i  of 
/zi>,  gi  :  7i;r, /i  ;  Ilai  :  7i-Mi  =>  n  F  ui  ;  n  such  that  the 
height  of  I?i  is  less  than  that  of  V.  By  induction  hypothesis, 
we  have  that  =  vi[ei[ai  ro]][6i[/i  h-).  e*]]  is  reducible. 
Note  that  e*[rp]  ri*  and  thus  e*[rp]  is  reducible,  contra¬ 
dicting  the  definition  of  fp.  Therefore,  e*  is  reducible. 

■ 

The  following  is  the  main  result  of  the  paper. 

Corollary  3.10  F  e  :  r  (5  derivable  in  MLg ’5,  then  e 
in  MLp  is  reducible  and  thus  reduces  to  a  value. 

Proof  The  corollary  follows  from  Lemma  3.9.  ■ 

4  Extensions 

We  can  extend  ML^’^  with  some  significant  program¬ 
ming  features  such  as  mutual  recursion,  datatypes  and  poly¬ 
morphism,  defining  the  notion  of  reducibility  for  each  ex¬ 
tension  and  thus  making  it  clear  that  Lemma  3.9  still  holds 
after  the  extension.  We  present  in  this  section  the  treatment 
of  mutual  recursion  and  currying,  leaving  the  details  in  [16]. 

4.1  Mutual  Recursion 

The  treatment  of  mutual  recursion  is  slightly  different 
from  the  standard  one.  The  syntax  and  typing  rules  for 
handling  mutual  recursion  are  given  in  Figure  5.  We  use 


(ti  , . . . ,  T„)  for  the  type  of  an  expression  representing  n  mu¬ 
tually  recursive  functions  of  types  n, . . .  ,r„,  respectively, 
which  should  not  be  confused  with  the  product  of  types 
Ti , . . .  ,r„.  Also,  the  n  in  e.n  must  be  a  positive  (constant) 
integer.  Let  v  be  the  following  expression. 

funs  /i  [di  :  7i]  :  n  is  Ui  and  . . .  and  /„[an  :  7„]  :  r„  is  Vn 

Then  for  every  1  <  A:  <  n,  v.k  is  a  redex,  which  reduces  to 
Aofc  :  lk-Vk[f\  ^  v.l,  ...,fn  ^  v.n].  Let  /  =  /i , . . . , 
and  we  form  a  metric  typing  judgment  0;  F  F  e  Cj  ho  for 
verifying  that  all  labels  of  /i  ,...,/„  in  6  are  less  than  /ip  un¬ 
der  0.  The  rules  for  deriving  such  a  judgment  are  essentially 
the  same  as  those  in  Figure  4  except  (<§;-lab),  which  is  given 
below, 

f  in  f  F(/)  =  Ha  :  -f./i  =>  r  0  |=  /i[g  i->-  i]  <  /tp 
0;F  F  /[i]  :  rjg  1-^  i]  «:_//to 

The  rule  (^-funs)  for  handling  mutual  recursion  is  straight¬ 
forward  and  thus  omitted. 

Definition  4.1  (Reducibilif  )  Let  e  be  a  closed  expression  of 
type  (n, . . .  ,T„)  and  e  reduces  to  v.  e  is  reducible  ife.k  are 
reducible  for  A:  =  1, . . . ,  n. 

4.2  Currying 

A  decorated  type  must  so  far  be  of  form  Eg  :  ^.p  =>  r 
and  this  restriction  has  a  rather  unpleasant  consequence.  For 


237 


types  r  ::=  •  •  •  |  (Ilai  : -yi.ri, . . .  ,na„  :  7„.r„) 

expressions  e  ::=  •  •  •  |  e.n  |  funs  /i  [oi  :  71]  :  Ti  is  Vi  and  . . .  and  /„[a„  :  7„]  :  r„  is  Vn 

values  V  ::=  •  •  ■  |  funs  /i  [di  ;  71]  :  ri  is  Vi  and  . . .  and  /„[a„  :  -fn]  :  t„  is 


f  =  fu---Jn  T=  (riai  :  7i.ri,...,na„  :  7„.t„) 

(j),  Si  :  7i ;  r,  /i  :  Ilai  :  71  :  /ii  =>  Ti  :  na„  :  7,,  :  =>  t„  I-  ui  :  n  /ii 

0)  On  ■  7n!  T;  /l  ■  nai  :  7l  -  Mi  ^  ^1 1  •  •  -  I  /n  •  IfOn  :  7n  •  ^  Tn  ^  Vn  ■  Tfi  J  ^n 

0;  r  h  funs  /i  [fli  :  7i]  :  /ii  =>  Ti  is  Vi  and  . . .  and  /„[d„  :  7,,]  :  r„  is  :  r 


0;  r  h  e  :  (ti  , . . . ,  T„ )  1  <  A:  <  n 

0;  r  h  e.k  :  r*. 


(type-choose) 


(type-funs) 


Figure  5.  The  Syntax  and  Typing  Rules  for  Mutual  Recursion 


instance,  we  may  want  to  assign  the  following  type  r  to  the 
implementation  of  Ackerman  function  in  Figure  1: 

{i:nat}  int{i)  ->  {j:nat}  int{j)  ->  int, 

which  is  formally  written  as 

Iloi  :  nni.int(ai)  ->  Ilo')  :  noi.int(a_))  ->  5^o  ;  nat.int{a). 

If  wc  decorate  r  with  a  metric  //,  then  ft  can  only  involve 
the  index  variable  0,1 ,  making  it  impossible  to  verify  that  the 
implementation  is  terminating. 

We  generalize  the  form  of  decorated  types  to  the  follow¬ 
ing  so  as  to  address  the  problem. 

rirti  :  7i  .Tj  •  -4  rirt,,  :  7„.r„  flo  ;  7.//  =>  r. 

Also,  we  introduce  the  following  form  of  expression  r  for 
representing  a  recursive  function. 

fun  f[ai  :  7i](.(:i  :  n)  •  ■  •  [r7„  :  7„](.r„  :  T„)[n  :  7]  :  r  is  r,, 

Wc  require  that  Cg  be  a  value  if  7)  =  0.  In  the  following,  wc 
only  deal  with  the  case  n  =  1.  For  ii  >  1,  the  treatment  is 
similar.  For  e  =  fun  f[Si  :  7i](.xi  ;  Ti)[f7  :  7]  :  r  is  Pq-  wc 
have  e  ArTi  :  71  .lam  .77  :  T]  .Xa  :  7.P0  and  the  following 
typing  rule 

(t>,ai  :  7i ,  (7  :  7;  F,  /  :  To ,  .xi  :  Ti  F  c  :  r  </  // 

0;  r  F  fun  /[f7i  :  7i](.7-i  ;  n  )[r7  :  7]  :  p  ^  r  is  r  :  tq 

where  tq  =  IlrFi  :  7]  .ti  ^  Flo  :  j.t,  and  the  following 
metric  typing  rule 

0  1=  fi  :  7i  0  t=  7[ni  H] 

0  1=  /ipi  1-4  r7i][f7  H4  I]  <  //n 
0;r  F  Cl  :  ri[(7]  i-4  7]  /m 
r(/)  =  nf7i  :  71.T1  n«  :  7.//  =>  t 

0;  r  F  /[ri](ei)[I]  :  r[f7j  h4  ri][a  >-4  I]  fig 

Definition  4.2  (i_i.-recliicibility)  Let  e  he  a  closed  recursive 
function  fun  /[oTl  :  7"l](.7:i  :  ri)[f7  :  7]  :  r  is  e  and  ^0  he 
a  closed  metric,  e  is  f^ig-reducihle  (/p[ri](u)[i]  are  reducible 
for  all  reducible  values  v  :  ri[(7i  1-4  7]  and  \i  :  7]  and 
r :  7[a]  1-4  Fi]  satisfying  /i[ni  i-4  ri][n’  h4  F]  <  fig. 


5  Practice 

n  s 

We  have  implemented  a  type-checker  for  MLq  in  a  pro¬ 
totype  implementation  of  DML  and  experimented  with  vari¬ 
ous  examples,  some  of  which  arc  presented  below.  Wc  also 
address  the  practicality  issue  at  the  end  of  this  section. 

5.1  Examples 

Wc  demonstrate  how  various  programming  features  arc 
handled  in  practice  by  our  approach  to  program  termination 
verification. 

Primitive  Recursion  The  following  is  an  implementation 
of  the  primitive  recursion  operator  B  in  Gcidcl’s  T,  which  is 
clearly  typablc  in  Note  that  Z  and  S  arc  assigned 

the  types  Naf:(0)  and  ITn  :  nnt.Nntfi)  Nat{n  -F  1), 
respectively. 

datatype  Nat  with  nat  = 

Z(0)  I  {n;nat}  S(n+1)  of  Nat(n) 

fun  (  '  a)  R  Z  u  V  = 

u  I  R  (S  n)  u  V  =  V  n  (R  n  u  v) 
withtype 
{n:nat}  <n>  => 

Nat(n)  ->  'a  ->  (Nat  ->  'a  ->  'a)  ->  'a 
(*  Nat  is  for  [n:nat]  Nat(n)  in  a  type  *) 

By  Corollary  3.10,  it  is  clear  that  every  term  in  T  is  termi¬ 
nating  (or  weakly  normalizing).  This  is  the  only  example  in 
this  paper  that  can  be  proven  terminating  with  a  structural 
ordering.  The  point  wc  make  is  that  though  it  seems 
“evident”  that  the  u.sc  of  R  cannot  cause  non-termination,  it 
is  not  trivial  at  all  to  prove  every  term  in  T  is  terminating. 
Notice  that  such  a  proof  cannot  be  obtained  in  Peano 
arithmetic.  The  notion  of  rcducibility  is  precisely  invented 
for  overcoming  the  difficulty  [12].  Actually,  every  term  in 
T  is  strongly  normalizing,  but  this  obviously  is  untrue  in 
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Nested  Recursive  Function  Call  The  program  in  Figure  6 
involving  a  nested  recursive  function  call  implements  Mc¬ 
Carthy’s  “91”  function.  The  withtype  clause  indicates 
that  for  every  integer  x,  /91(x)  returns  integer  91  if  a;  <  100 
and  x  —  10  if  a;  >  101.  We  informally  explain  why  the 
metric  in  the  type  annotation  suffices  to  establish  the  termi¬ 
nation  of  /9 1 ;  for  the  inner  call  to  /9 1 ,  we  need  to  prove  that 
(f)  1=  max(0, 101  —  {i  +  11))  <  max(0, 101  —  i)  is  satisfied 
for  (p  =  i  :  int,i  <  100,  which  is  obvious;  for  the  outer 
call  to  /91,  we  need  to  verify  that  |=  max(0, 101  —  j)  < 
max(0, 101  —  j),  where  is  0,  j  :  int,P  and  P  is 

(i-l-11  <  100  A  j  =  91)V(2-|-11  >  101 A  j  =  i-fll-lO) 

If  i  -1-  11  <  100,  then  j  =  91  and  max(0, 101  —  j)  =  10  < 
12  <  101  -  i;  if  i -1-11  >  101,  then  j  =  i -I- 11  -  10  =  i -1- 1 
and  max(0, 101  —  j)  <  101  —  i  (since  i  <  100  is  assumed 
in  0).  Clearly,  this  example  can  not  be  handled  with  a 
structural  ordering. 

Mutual  Recursion  The  program  in  Figure  7  implements 
quicksort  on  a  list,  where  the  functions  qs  and  par  are  de¬ 
fined  mutually  recursively.  We  informally  explain  why  this 
program  is  typable  in  MLg  and  thus  qs  is  a  terminating 
function  by  Corollary  3.10. 

For  the  call  to  par  in  the  body  of  qs,  the  label  is  (0  -I- 
0  -t-  a,  a  -h  1),  where  a  is  the  length  of  xs'.  So  we  need  to 
verify  that  0  |=  (0  +  0  -t-  a,  a  -f  1)  <  (n,0)  is  satisfied  for 
cp  =  n  :  nat,  a  :  nat,  a  +  1  =  ii,  which  is  obvious. 

For  the  two  calls  to  qs  in  the  body  of  par,  we  need  to 
verify  that  0  |=  (p,  0)  <  {p  +  q  +  r,r  +  1)  and  0  \=  {q,  0)  < 
{p+q  +  r,r+l)  (or  p  =  p  :  nat,q  :  nat,r  :  nat,r  =  0,  both 
of  which  hold  since  P  \=  p  <  p  +  q  and  p  \=  q  <  p  +  q  and 
0  [=  0  <  1.  This  also  indicates  why  we  need  r  -f  1  instead 
of  r  in  the  metric  for  par. 

For  the  two  calls  to  par  in  the  body  of  par,  we  need 
to  verify  that  p  |=  ((p  -h  1)  -f  q  -f  a,  a)  <  (p  -f  q  -I-  r,  r) 
and  0  1=  (p  -f-  (g  -f  1)  -F  a,  a)  <  (p  +  g  -|-  r,  r)  for 
p  =  p  :  nat,  q  :  nat,  r  :  nat,  a  :  nat,  r  =  a  +  1,  both  of 
which  hold  since  p  \=  (p-Fl)-l-g-Fa  =  p-l-g-l-r  and 

|=p+(g  +  l)-l-a  =  p-l-g  +  r  and  p  a  <  r.  Clearly, 
this  example  can  not  be  handled  with  a  structural  ordering. 

Higher-order  Function  The  program  in  Figure  8  imple¬ 
ments  a  function  accept  that  takes  a  pattern  p  and  a  string 
s  and  checks  whether  s  matches  p,  where  the  meaning  of  a 
pattern  is  given  in  the  comments. 

The  auxiliary  function  acc  is  implemented  in  continua¬ 
tion  passing  style,  which  takes  a  pattern  p,  a  list  of  char¬ 
acters  cs  and  a  continuation  k  and  matches  a  prefix  of  cs 
against  p  and  call  k  on  the  rest  of  characters.  Note  that  k 
is  given  a  type  that  allows  k  to  be  applied  only  to  a  char¬ 
acter  list  not  longer  than  cs.  The  metric  used  for  proving 
the  termination  of  acc  is  {n,i},  where  n  is  the  size  of  p, 
that  is  the  number  constructors  in  p  (excluding  Empty)  and 
i  is  the  length  of  cs.  Notice  the  call  acc  p  cs'  k  in  the 


last  pattern  matching  clause;  the  label  attached  to  this  call  is 
{n,i'),  where  i'  is  the  length  of  cs';  we  have  i'  <  i  since  the 
continuation  has  the  type  Ila'  :  'y.{char)list{a')  — >  bool, 
where  7  is  {o  :  nat  \  a  <  i};  we  have  i  ^  i'  since 
length{cs')  =  length{cs)  must  be  false  when  this  call  hap¬ 
pens;  therefore  we  have  i'  <  and  then  {n,i')  <  {n,i).  It 
is  straightforward  to  see  that  the  labels  attached  to  other  calls 
to  acc  are  less  than  {n,i).  By  Corollary  3.10,  acc  is  termi¬ 
nating,  which  implies  that  accept  is  terminating  (assuming 
explode  is  terminating).  In  every  aspect,  this  is  a  non-trivial 
example  even  for  interactive  theorem  proving  systems. 

Notice  that  the  test  length{cs')  —  length{cs)  in  the  body 
of  acc  can  be  time-consuming.  This  can  be  resolved  by  using 
a  continuation  that  accepts  as  its  arguments  both  a  character 
list  and  its  length.  In  [5],  there  is  an  elegant  implementa¬ 
tion  of  accept  that  does  some  processing  on  the  pattern  to  be 
matched  and  then  eliminates  the  test. 

Run-time  Check  There  are  also  realistic  cases  where  termi¬ 
nation  depends  on  a  program  invariant  that  cannot  (or  is  diffi¬ 
cult  to)  be  captured  in  the  type  system  of  DML.  For  instance, 
the  following  example  is  adopted  from  an  implementation  of 
bit  reversing,  which  is  a  part  of  an  implementation  of  fast 
Fourier  transform  (FFT). 

fun  loop  ( j ,  k)  = 

if  (k<j)  then  loop  (j-k,  k/2)  else  j+k 
withtype 

{a:nat,b:nat)  int(a)  *  int(b)  ->  int 

Obviously,  (oop(l,0)  is  not  terminating.  However,  we  may 
know  for  some  reason  that  the  second  argument  of  loop  can 
never  be  0  during  execution.  This  leads  to  the  following  im¬ 
plementation,  in  which  we  need  to  check  that  k  >  1  holds 
before  calling  loop{j  -  k,k/2)  so  as  to  guarantee  that  A:/2  is 
a  positive  integer. 

fun  loop  (j,  k)  = 

if  (k  <  j )  then 

if  (k  >  1)  then  loop  (j  -  k,  k/2) 
else  raise  Impossible 

else  j+k 

withtype  { a : nat , b : pos }  <max ( 0 ,  a-b)>  => 
int (a)  *  int{b)  ->  int 

It  can  now  be  readily  verified  that  loop  is  a  terminating  func¬ 
tion.  This  example  indicates  that  we  can  insert  run-time 
checks  to  verify  program  termination,  sometimes,  approxi¬ 
mating  a  liveness  property  with  a  safety  property. 

5.2  Practicality 

There  are  two  separate  issues  concerning  the  practicality 
of  our  approach  to  program  termination  verification,  which 
are  (a)  the  practicality  of  the  termination  verification  pro¬ 
cess  and  (b)  the  applicability  of  the  approach  to  realistic  pro¬ 
grams. 

■"’Note  that  length[cs')  and  length(cs)  have  the  types  int(t')  and 
int(i).  respectively,  and  thus  length{cs')  —  length{cs)  has  the  type 
bool(i'  =  i),  where  i'  =  i  equals  1  or  0  depending  on  whether  i'  equals  i. 
Thus,  i'  <  i  can  be  inferred  in  ihe  type  system. 
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fun  f91  (x)  =  if  (x  <=  100)  then  f91  {f91  (x  +  11))  else  x  -  10 
withtype 

{i;int}  <rnax  (  0  ,  101-i)>  => 

int(i)  ->  [j:int  |  (i<=100  /\  j=91)  \/  (i>=101  /\  j=i-10)]  int(j) 

Figure  6.  An  implementation  of  McCarthy’s  “91”  function 

fun {'a)  qs  cmp  xs  = 

case  xs  of  [ ]  =>  [ ]  |  x  ::  xs'  =>  par  cmp  (x,  [],  [],  xs ' ) 

withtype  ('a  *  'a  ->  bool)  ->  {n:nat}  <n,0>  =>  'a  list(n)  ->  'a  list(n) 

and {'a)  par  cmp  (x,  1,  r,  xs)  = 
case  xs  of 

[]  =>  qs  cmp  1  @  (x  :  :  qs  cmp  r) 

I  x'  ::  xs '  =>  if  cmp(x',  x)  then  par  cmp  (x,  x'  ::  1,  r,  xs ' ) 
else  par  cmp  (x,  1,  x'  ::  r,  xs ' ) 
withtype  ('a  *  'a  ->  bool)  ->  {p ; nat , q : nat , r : nat }  <p+q+r,r+l>  => 

'a  *  'a  list(p)  *  'a  list(q)  *  'a  list(r)  ->  'a  list (p+q+r+1 ) 

Figure  7.  An  implementation  of  quicksort  on  a  list 


It  is  easy  lo  observe  that  the  complexity  of  type-checking 
in  MLg is  basically  the  same  as  in  MLJ,'  "  since  the  only 
added  work  is  to  verify  that  metrics  (provided  by  the  pro¬ 
grammer)  are  decreasing,  which  requires  solving  some  extra 
constraints.  The  number  of  extra  constraints  generated  from 
type-checking  a  function  is  proportional  to  the  number  of  re¬ 
cursive  calls  in  the  body  of  the  function  and  therefore  is  likely 
small.  Based  on  our  experience  with  DML.  we  thus  feel  that 
type-checking  in  is  suitable  for  practical  use. 

As  for  the  applicability  of  our  approach  to  realistic  pro¬ 
grams,  we  use  the  type  system  of  the  programming  language 
C  as  an  example  to  illustrate  a  design  decision.  Obviously, 
the  type  system  of  C  is  unsound  because  of  (unsafe)  type 
casts,  which  arc  often  needed  in  C  for  typing  programs  that 
would  otherwise  not  be  possible.  In  spite  of  this  practice,  the 
type  system  of  C  is  still  of  great  help  for  capturing  program 
errors.  Clearly,  a  similar  design  is  tt)  allow  the  programmer 
to  assert  the  termination  of  a  function  in  DML  if  it  cannot  be 
verified,  which  we  may  call  termination  cast.  Combining  ter¬ 
mination  verification,  run-time  checks  and  termination  cast, 
we  feel  that  our  approach  is  promising  to  be  put  into  practice. 

6  Related  Work 

The  amount  of  research  work  related  to  program  termina¬ 
tion  is  simply  vast.  In  this  section,  wc  mainly  mention  some 
related  work  with  which  our  work  shares  some  similarity  ci¬ 
ther  in  design  or  in  technique. 

Most  approaches  to  automated  termination  proofs  for  ci¬ 
ther  programs  or  term  rewriting  systems  (TRSs)  use  various 
heuristics  to  synthesize  well-founded  orderings.  Such  ap¬ 
proaches,  however,  often  have  difficulty  reporting  compre¬ 
hensible  information  when  a  program  cannot  be  proven  ter¬ 


minating.  Following  [1.1].  there  is  also  a  large  amount  of 
work  on  proving  termination  of  logic  programs.  In  [  I  I  ].  it  is 
reported  that  the  Mercury  compiler  can  perform  automated 
termination  checking  on  realistic  logic  programs. 

However,  we  address  a  different  question  here.  Wc  are 
interested  in  checking  whether  a  given  metric  sufliccs  to  es¬ 
tablish  the  termination  of  a  program  and  not  in  synthesiz¬ 
ing  such  a  metric.  This  design  is  essentially  the  same  as  the 
one  adopted  in  [  10].  where  it  checks  whether  a  given  struc¬ 
tural  ordering  (possibly  on  high-order  terms)  is  decreasing  in 
an  inductive  proof  or  a  logic  program.  Clearly,  approaches 
based  on  chocking  complements  those  based  on  synthesis. 

Our  approach  also  relates  to  the  semantic  labelling  ap¬ 
proach  [19]  designed  to  prove  termination  for  term  rewrit¬ 
ing  systems  (TRSs).  The  essential  idea  is  to  differentiate 
function  calls  with  labels  and  show  that  labels  are  always 
decreasing  when  a  function  call  unfolds.  The  semantic  la¬ 
belling  approach  requires  constructing  a  model  for  a  TRS  to 
verify  whether  labelling  is  done  correctly  while  our  approach 
docs  this  by  type-checking. 

The  notion  of  sized  types  is  introduced  in  [6]  for  prov¬ 
ing  the  correctness  of  reactive  systems.  There,  the  type  sys¬ 
tem  is  capable  of  guaranteeing  the  termination  of  well-typed 
programs.  The  language  presented  in  [6],  which  is  designed 
for  embedded  functional  programming,  contains  a  significant 
restriction  as  it  only  supports  (a  minor  variant)  of  primitive 
recursion,  which  can  cause  inconvenience  in  programming. 
For  instance,  it  seems  difficult  to  implement  quicksort  by  us¬ 
ing  only  primitive  recursion.  From  our  experience,  general 
recursion  is  really  a  major  programming  feature  that  greatly 
complicates  program  termination  verification.  Also,  the  no¬ 
tion  of  existential  dependent  types,  which  wc  deem  indis¬ 
pensable  in  practical  programming,  docs  not  exist  in  [6]. 

When  compared  to  various  (interactive)  theorem  proving 
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datatype  pattern  with  nat  = 

Empty (0)  {*  empty  string  matches  Empty  *) 

I  Char(l)  of  char  {*  "c"  matches  Char  (c)  *) 

I  {i :nat, j :nat}  Plus{i+j+l)  of  pattern(i)  *  pattern{j) 

(*  cs  matches  Plus (pi,  p2 )  if  cs  matches  either  pi  or  p2  *) 

I  {i :nat, j mat}  Times (i+j+l)  of  pattern{i)  *  pattern(j) 

(*  cs  matches  Times (pi,  p2)  if  a  prefix  of  cs  matches  pi  and 
the  rest  matches  p2  *) 

I  {imat}  Star(i  +  1)  of  pattern{i) 

(*  cs  matches  Star(p)  if  cs  matches  some,  possibly  0,  copies  of  p  *) 

(*  'length'  computes  the  length  of  a  list  *) 
fun { ' a ) 

length  (xs)  =  let 

fun  len  ( [ ] ,  n)  =  n 

I  len  (x  : ;  xs,  n)  =  len  (xs,  n+1) 
withtype 

{i mat, j mat)  <i>  =>  'a  list(i)  *  int{j)  ->  int(i+j) 
in 

len  (xs,  0) 

end 

withtype  {imat}  <>  =>  'a  list(i)  ->  int(i) 

(*  empty  tuple  <>  is  used  since  'length'  is  not  recursive  *) 

fun  acc  p  cs  k  = 
case  p  of 

Empty  =>  k  (cs) 

I  Char(c)  => 

(case  cs  of 
[]  =>  false 

I  c'  ::  cs'  =>  if  (c  =  c')  then  k  (cs')  else  false) 

I  Plus (pi,  p2 )  =>  (*  in  this  case,  k  is  used  for  backtracking  *) 
if  acc  pi  cs  k  then  true  else  acc  p2  cs  k 
I  Times (pi,  p2 )  =>  acc  pi  cs  ( f n  cs'  =>  acc  p2  cs '  k) 
j  Star(pO)  => 

if  k  (cs)  then  true 
else  acc  pO  cs  ( f n  cs '  => 

if  length (cs')  =  length (cs)  then  false 
else  acc  p  cs'  k) 
withtype  {nmat}  pattern  (n)  -> 

{imat}  <n,  i>  =>  char  list(i)  -> 

({i'mat  I  i'  <=  i}  char  list{i')  ->  bool)  ->  bool 

{*  'explode'  turns  a  string  into  a  list  of  characters  *) 
fun  accept  p  s  = 

acc  p  (explode  s)  ( f n  []  =>  true  |  _  : :  _  false) 
withtype  <>  =>  pattern  ->  string  ->  bool 


Figure  8.  An  implementation  of  pattern  matching  on  strings 
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systems  such  as  NuPrl  [2],  Coq  [4],  Isabelle  [8]  and  PVS  [9], 
our  approach  to  program  termination  is  weaker  (in  the  sense 
that  [many]  fewer  programs  can  be  verified  terminating)  but 
more  automatic  and  less  obtrusive  to  programming.  We  have 
essentially  designed  a  mechanism  for  program  termination 
verification  with  a  language  interface  that  is  to  be  used  dur¬ 
ing  program  development  cycle.  We  consider  this  as  the  main 
contribution  of  the  paper.  When  applied,  the  designed  mech¬ 
anism  intends  to  facilitate  program  error  detection,  leading 
to  the  construction  of  more  robust  programs. 

7  Conclusion  and  Future  Work 

We  have  presented  an  approach  based  on  dependent  types 
in  DML  that  allows  the  programmer  to  supply  metrics  for 
verifying  program  termination  and  proven  its  correctness. 
We  have  also  applied  this  approach  to  various  examples  that 
involve  significant  programming  features  such  as  a  general 
form  of  recursion  (including  mutual  recursion),  higher-order 
functions,  algebraic  datatypes  and  polymorphism,  support¬ 
ing  its  usefulness  in  practice. 

A  program  property  is  often  classified  as  either  a  safety 
property  or  a  livcncss  property.  That  a  program  never  per¬ 
forms  out-of-bounds  array  subscripting  at  run-time  is  a  safety 
property.  It  is  demonstrated  in  [17]  that  dependent  types  in 
DML  can  guarantee  that  every  well-typed  program  in  DML 
posscs.scs  such  a  safety  property,  effectively  facilitating  run¬ 
time  array  bound  check  elimination.  It  is,  however,  unclear 
(a  priori)  whether  dependent  types  in  DML  can  also  be  used 
for  establishing  livcncss  properties.  In  this  paper,  we  have 
formally  addressed  the  question,  demonstrating  that  depen¬ 
dent  types  in  DML  can  be  combined  with  metrics  to  estab¬ 
lish  program  termination,  one  of  the  most  significant  livcncss 
properties. 

Termination  checking  is  also  useful  for  compiler  opti¬ 
mization.  For  instance,  if  one  decides  to  change  the  exe¬ 
cution  order  of  two  programs,  it  may  be  required  to  prove 
that  the  first  program  always  terminates.  Also,  it  .seems  fea¬ 
sible  to  use  metrics  for  estimating  the  time  complexity  of 
programs.  In  lazy  function  programming,  such  information 
may  allow  a  compiler  to  decide  whether  a  thunk  should  be 
formed.  In  future,  we  expect  to  explore  along  these  lines  of 
research. 

Although  we  have  presented  many  interesting  examples 
that  cannot  be  proven  terminating  with  structural  orderings, 
we  emphasize  that  structural  orderings  arc  often  effective  in 
practice  for  establishing  program  termination.  Therefore,  it 
seems  fruitful  to  study  a  combination  of  our  approach  with 
structural  orderings  that  handles  simple  cases  with  cither  au¬ 
tomatically  synthesized  or  manually  provided  structural  or¬ 
derings  and  verifies  more  difficult  cases  with  metrics  sup¬ 
plied  by  the  programmer. 
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Abstract 

Proof-carrying  code  is  a  framework  for  the  mechani¬ 
cal  verification  of  safety  properties  of  machine  language 
programs,  but  the  problem  arises  of  quis  custodial  ip- 
sos  custodes — who  will  verify  the  verifier  itself?  Founda¬ 
tional  proof-carrying  code  is  verification  from  the  small¬ 
est  possible  set  of  axioms,  using  the  simplest  possible  ver¬ 
ifier  and  the  smallest  possible  runtime  system.  /  will  de¬ 
scribe  many  of  the  mathematical  and  engineering  prob¬ 
lems  to  be  solved  in  the  construction  of  a  foundational 
proof-carrying  code  system. 

1  Introduction 

When  you  obtain  a  piece  of  software  -  a  shrink- 
wrapped  application,  a  browser  plugin,  an  applet,  an  OS 
kernel  extension  -  you  might  like  to  ascertain  that  it’s  safe 
to  execute;  it  accesses  only  its  own  memory  and  respects 
the  private  variables  of  the  API  to  which  it’s  linked.  In  a 
Java  system,  for  example,  the  byte-code  verifier  can  make 
such  a  guarantee,  but  only  if  there’s  no  bug  in  the  verifier 
itself,  or  in  the  just-in-time  compiler,  or  the  garbage  col¬ 
lector,  or  other  parts  of  the  Java  virtual  machine  (JVM). 

If  a  compiler  can  produce  Typed  Assembly  Language 
(TAL)  [14],  then  just  by  type-checking  the  low-level  rep¬ 
resentation  of  the  program  we  can  guarantee  safety  -  but 
only  if  there’s  no  bug  in  the  typing  rules,  or  in  the  type- 
checker,  or  in  the  assembler  that  translates  TAL  to  ma¬ 
chine  language.  Fortunately,  these  components  are  signif¬ 
icantly  smaller  and  simpler  than  a  Java  JIT  and  JVM. 

Proof-carrying  code  (PCC)  [  1 5]  constructs  and  verifies 
a  mathematical  proof  about  the  machine-language  pro¬ 
gram  itself,  and  this  guarantees  safety  -  but  only  if  there’s 
no  bug  in  the  verification-condition  generator,  or  in  the 
logical  axioms,  or  the  typing  rules,  or  the  proof-checker. 

What  is  the  minimum  possible  size  of  the  components 
that  must  be  trusted  in  a  PCC  system?  This  is  like  ask¬ 
ing,  what  is  the  minimum  set  of  axioms  necessary  to 

•This  research  was  supported  in  part  by  DARPA  award  F30602-99- 
1-0519  and  by  National  Science  Foundation  grant  CCR-9974553. 


prove  a  particular  theorem?  A  foundational  proof  is  one 
from  just  the  foundations  of  mathematical  logic,  without 
additional  axioms  and  assumptions;  foundational  proof- 
carrying  code  is  PCC  with  trusted  components  an  order 
of  magnitude  smaller  than  previous  PCC  systems. 

Conventional  proof-carrying  code.  Necula  [15] 
showed  how  to  specify  and  verify  safety  properties  of 
machine-language  programs  to  ensure  that  an  untrusted 
program  does  no  harm  -  does  not  access  unauthorized 
resources,  read  private  data,  or  overwrite  valuable  data. 
The  provider  of  a  PCC  program  must  provide  both  the 
executable  code  and  a  machine-checkable  proof  that 
this  code  does  not  violate  the  safety  policy  of  the  host 
computer.  The  host  computer  does  not  run  the  given  code 
until  it  has  verified  the  given  proof  that  the  code  is  safe. 

In  most  current  approaches  to  PCC  and  TAL  [15,  14], 
the  machine-checkable  proofs  are  written  in  a  logic  with 
a  built-in  understanding  of  a  particular  type  system.  More 
formally,  type  constructors  appear  as  primitives  of  the 
logic  and  certain  lemmas  about  these  type  constructors 
are  built  into  the  verification  system.  The  semantics  of 
the  type  constructors  and  the  validity  of  the  lemmas  con¬ 
cerning  them  are  proved  rigorously  but  without  mechnical 
verification  by  the  designers  of  the  PCC  verification  sys¬ 
tem.  We  will  call  this  type-specialized  PCC. 

A  PCC  system  must  understand  not  only  the  language 
of  types,  but  also  the  machine  language  for  a  particular 
machine.  Necula’s  PCC  systems  [15,  7]  use  a  verification- 
condition  generator  (VCgen)  to  derive,  for  each  program, 
a  verification  condition  -  a  logical  formula  that  if  true 
guarantees  the  safety  of  the  program.  The  code  producer 
must  prove,  and  the  code  consumer  must  check  the  proof 
of,  the  verification  condition.  (Both  producer  and  con¬ 
sumer  independently  run  the  VCgen  to  derive  the  right 
formula  for  the  given  program.) 

The  VCgen  is  a  fairly  large  program  (23,000  lines  of  C 
in  the  Cedilla  Systems  implementation  [7])  that  examines 
the  machine  instructions  of  the  program,  expands  the  sub¬ 
stitutions  of  its  machine-code  Hoare  logic,  examines  the 
formal  parameter  declarations  to  derive  function  precon- 
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ditions,  and  examines  result  declarations  to  derive  post¬ 
conditions.  A  bug  in  the  VCgen  will  lead  to  the  wrong 
formula  being  proved  and  checked. 

The  soundness  of  a  PCC  system’s  typing  rules  and 
VCgen  can,  in  principle,  be  proved  as  a  metathco- 
rem.  Human-checked  proofs  of  type  systems  are  almost 
tractable;  the  appendices  of  Necula’s  thesis  [16]  and  Mor- 
risett  et  al.’s  paper  [14]  contain  such  proofs,  if  not  of  the 
actual  type  systems  used  in  PCC  systems,  then  of  their 
simplified  abstractions.  But  constructing  a  mechanically- 
chcckable  correctness  proof  of  a  full  VCgen  would  be  a 
daunting  task. 


Foundational  PCC.  Unlike  typc-speciali/cd  PCC,  the 
foundational  PCC  described  by  Appel  and  Fclty  [3] 
avoids  any  commitment  to  a  particular  type  system  and 
avoids  using  a  VC  generator.  In  foundational  PCC  the  op¬ 
erational  .semantics  of  the  machine  code  is  defined  in  a 
logic  that  is  suitably  expressive  to  serve  as  a  foundation 
of  mathematics.  We  use  higher-order  logic  with  a  few  ax¬ 
ioms  of  arithmetic,  from  which  it  is  possible  to  build  up 
most  of  modern  mathetnatics.  The  operational  semantics 
of  machine  instructions  [12]  and  safety  policies  [2]  arc 
easily  defined  in  higher-order  logic.  In  foundational  PCC 
the  code  provider  must  give  both  the  executable  code  plus 
a  proof  in  the  foundational  logic  that  the  code  satisfies 
the  consumer’s  safety  policy.  The  proof  must  explicitly 
define,  down  to  the  foundations  of  mathematics,  all  re¬ 
quired  concepts  and  explicitly  prove  any  needed  proper¬ 
ties  of  these  concepts. 

Foundational  PCC  has  two  main  advantages  over  type- 
specialized  PCC  —  it  is  more  flexible  and  more  secure. 
Foundational  PCC  is  more  flexible  because  the  code  pro¬ 
ducer  can  “explain”  a  novel  type  system  or  safely  argu¬ 
ment  to  the  code  consumer.  It  is  more  secure  because  the 
trusted  base  can  be  smaller:  its  trusted  base  consists  only 
of  the  foundational  verification  system  together  with  the 
definition  of  the  machine  instruction  semantics  and  the 
safety  policy.  A  verification  system  for  higher-order  logic 
can  be  made  quite  small  [10,  17], 

In  our  research  project  at  Princeton  University  (with 
the  help  of  many  colleages  elsewhere)  we  are  building 
a  foundational  PCC  system,  so  that  we  can  specify  and 
automatically  prove  and  check  the  safety  of  machine- 
language  programs.  In  this  paper  I  will  explain  the  com¬ 
ponents  of  the  system. 


2  Choice  of  logic  and  framework 

To  do  machine-checked  proofs,  one  must  first  choose 
a  logic  and  a  logical  framework  in  which  to  manipulate 
the  logic.  The  logic  that  we  use  is  Church’s  higher-order 
logic  with  axioms  for  arithmetic;  we  represent  our  logic, 
and  check  proofs,  in  the  LF  mctalogic  [10]  implemented 
in  the  Twclf  logical  framework  [18].  We  have  chosen  LF 
because  it  naturally  produces  proof  objects  that  we  can 
send  to  a  “consumer.” 

The  Twclf  system  allows  us  to  specify  constructors  of 
our  object  logic.  Our  object  logic  has  types  tp;  its  prim¬ 
itive  types  are  propositions  o  and  numbers  num;  there  is 
an  arrow  constructor  to  build  function  types,  and  pair 
to  build  tuples.  For  any  object-logic  type  T,  object-logic 
expressions  of  that  type  have  metalogical  type  tm  T.  Fi¬ 
nally.  for  any  formula  A  we  can  talk  about  proofs  of /I, 
which  belong  to  the  metalogical  type  pf  {A) . 
tp  :  type, 

tm  ;  tp  ->  type, 

o;  tp .  num:  tp . 

arrow:  tp  ->  tp  ->  tp . 

%infix  right  14  arrow, 
pair:  tp  ->  tp  ->  tp . 
pf  ;  tm  o  ->  type. 

We  have  object-logic  constructors  lam  (to  construct 
functions).  @  (to  apply  a  function  to  an  argument,  written 
infix),  imp  (logical  implication),  and  forall  (universal 
quantification): 

lam:  ( tm  T1  ->  tm  T2 )  ->  tm  (T1  arrow  T2) 
@  :  tm  (T1  arrow  T2 )  ->  tm  T1  ->  tm  T2 . 

%infix  left  20  @. 
imp  :  tm  o  ->  tm  o  ->  tm  o . 

%infix  right  10  imp. 
forall  :  ( tm  T  ->  tm  o)  ->  tm  o. 

The  trick  of  using  lam  and  @  to  coerce  between  mcl- 
alogical  functions  tm  T1  ->  tm  T2  and  object-logic 
functions  tm  (T1  arrow  T2  )  is  described  by  Harper, 
Hon.scll,  and  Plotkin  [  10).  We  need  object-logic  functions 
so  that  we  can  quantify  over  them  using  forall;  that  is, 
the  type  of  F  in  forall  [F]  predicate{F)  must 
be  tm  T  for  some  T  such  as  num  arrow  num,  but  can¬ 
not  be  tm  T1  ->  tm  T2. 

We  have  introduction  and  elimination  rules  for  these 
constructors  (rules  for  pairing  omitted  here): 
beta_e:  (P:  tm  T  ->  tm  o) 

pf(P  (lam  F  &  X))  ->  pf(P  (F  X) ) 
beta_i :  (P:  tm  T  ->  tm  o) 

pf(P  (F  X))  ->  pf(P  (lam  F  @  X) ) 

imp_i ;  (pf  A  ->  pf  B)  ->  pf  (A  imp  B) . 
imp_e :  pf  (A  imp  B)  ->pfA->pfB. 
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forall_i : 

({X:tm  T}pf(A  X))  ->  pf{forall  A). 

forall_e : 

pf (forall  A)  ->  {X:tm  T}pf (A  X) . 

not_not_e:  pf  ( (B  imp  forall  [A]  A) 
imp  forall  [A]  A) 

->  pf  B. 

Our  proofs  don’t  need  extensionality  or  the  general  axiom 
of  choice. 

Once  we  have  defined  the  constructors  of  the  logic, 
we  can  define  lemmas  and  new  operators  as  definitions 
in  Twelf: 

and  :  tm  o  ->  tm  o  ->  tm  o  = 

[A]  [B] 

forall  [C]  (A  imp  B  imp  C)  imp  C. 

%infix  right  12  and. 

and_i  :pfA->pfB->pf  (A  and  B)  = 
[pi :  pf  A] [p2 :  pf  B] 
forall_i  [c:  tm  o] 

imp_i  [p3]  imp_e  { imp_e  p3  pi)  p2 . 

and_el  :  pf  (A  and  B)  ->  pf  A  = 

[pi ;  pf  (A  and  B) ] 
imp_e  (forall_e  pi  A) 

{imp_i  [p2 :  pf  A]  imp_i  [p3 :  pf  B]  p2). 

Of  course,  the  defined  lemmas  are  checked  by  machine 
(the  Twelf  type  checker),  and  need  not  be  trusted  in  the 
same  way  that  the  core  inference  rules  are.  Our  interactive 
tutorial  [1]  provides  an  informal  introduction  to  our  object 
logic. 


3  Specifying  machine  instructions 


We  start  by  modeling  a  specific  von  Neumann  ma¬ 
chine,  such  as  the  Sparc  or  the  Pentium.  A  machine  state 
comprises  a  register  bank  and  a  memory,  each  of  which 
is  a  function  from  integers  (addresses)  to  integers  (con¬ 
tents).  Every  register  of  the  instruction-set  architecture 
(ISA)  must  be  assigned  a  number  in  the  register  bank:  the 
general  registers,  the  floating-point  registers,  the  condi¬ 
tion  codes,  and  the  program  counter.  Where  the  ISA  does 
not  specify  a  number  (such  as  for  the  PC)  we  use  an  arbi¬ 
trary  index: 


r  m 


A  single  step  of  the  machine  is  the  execution  of  one  in¬ 
struction.  We  can  specify  instruction  execution  by  giving 
a  step  relation  (r,m)  {r',m')  that  describes  the  relation 

between  the  prior  state  {r,m)  and  the  state  {r',m')  of  the 
machine  after  execution. 

For  example,  to  describe  the  instruction  r]  <—  r2  +  r}, 
we  might  start  by  writing, 

{r,m)<-^{r’,m')  = 

r'{])  =  r(2)  -H  r(3)  A  (Vx  1 .  r'(x)  =  r{x))  Am'  =  m 

In  fact,  we  can  define  add(/,y,/:)  as  this  predicate  on 
four  arguments  {r,m,r',m'): 

add{ij,k)  = 

Xr,my,m'.  r’{i)  =  r{j)  +  r{k) 

A  (V.r  ^  i.  r'{x)  =  r{x)) 

A  m'  =  m 

Similarly,  we  can  define  the  instruction  r,  ^  -|-  c] 

as 

load(/,7,c)  = 

A,r,w, /,/?/.  r'{i)  =  m{r{j)  -|-c) 

A  (Vjc  ^  i.  r’ix)  =  r(x))  A  =  m 

But  we  must  also  take  account  of  instruction  fetch  and 
decoding.  Suppose,  for  example,  that  the  add  instruction 
is  encoded  as  a  32-bit  word,  containing  a  6-bit  field  with 
opcode  3  denoting  arfj,  a  5-bit  field  denoting  the  destina¬ 
tion  register  /,  and  5-bit  fields  denoting  the  source  regis¬ 
ters  i,k\ 


26  21  16  5  0 

The  load  instruction  might  be  encoded  as. 


26  21  16  0 


Then  we  can  say  that  some  number  w  decodes  to  an 
instruction  instr  iff. 
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dccodc(w,  (Vf.vrr)  = 

0<(<2‘^  A  0<j<2^  A  0<k<2^  A 
H-  =  3-2-'’  +  A22' +y-2'^  +  yt-2”  A 
instr  =  add((,7,^)) 

V  {3iJ,c. 

0<i<2^  A  0<j<2^  A  0<c<2‘^  A 
12-22'^  +  (-2‘‘+7-2'^  +  c-2'’  A 
instr  —  !oad((,7.sign-extend(c))) 

V  ... 

with  the  ellipsis  denoting  the  many  other  instructions  of 
the  machine,  which  must  also  be  specified  in  this  formula. 

Neophytos  Michael  and  I  have  shown  [  1 2]  how  to  scale 
this  idea  up  to  the  instruction  set  of  a  real  machine.  Real 
machines  have  large  but  scmircgular  instruction  sets;  in¬ 
stead  of  a  single  global  disjunction,  the  decode  relation 
can  be  factored  into  operands,  addressing  modes,  and  .so 
on.  Real  machines  don’t  use  integer  arithmetic,  they  use 
modular  arithmetic,  which  can  itself  be  specified  in  our 
higher-order  logic.  Some  real  machines  have  multiple 
program  counters  (c.g.,  Sparc)  or  variable-length  instruc¬ 
tions  (c.g.,  Pentium),  and  these  can  also  be  accommo¬ 
dated. 

Our  description  of  the  decode  relation  is  heavily  fac¬ 
tored  by  higher-order  predicates  (this  would  not  be  pos¬ 
sible  without  higher-order  logic).  We  have  .specified  the 
execution  behavior  of  a  large  subset  of  the  Sparc  archi¬ 
tecture  (without  register  windows  or  lloating-point).  For 
PCC,  it  is  sufficient  to  specify  a  subset  of  the  machine  ar¬ 
chitecture;  any  unspecified  instruction  will  be  treated  by 
the  safety  policy  as  illegal,  which  may  be  inconvenient  for 
compilers  that  want  to  generate  that  instruction,  but  which 
cannot  compromise  safety. 

Our  Sparc  specification  has  two  components,  a  “syn¬ 
tactic”  part  (the  decode  relation)  and  a  semantic  part  (the 
definitions  of  add,  load,  etc.).  The  syntactic  part  is  de¬ 
rived  from  a  151-linc  specification  written  in  the  SLED 
language  of  the  New  Jersey  Machine-Code  Toolkit  [19]; 
our  translator  expands  this  to  1035  lines  of  higher-order 
logic,  as  represented  in  Twclf;  but  we  believe  that  a  more 
concise  and  readable  translation  would  produce  only  500- 
600  lines.  The  semantic  part  is  about  600  lines  of  logie. 
including  the  definition  of  modular  arithmetic. 

4  Specifying  safety 

Our  step  relation  {r,ni)  {d .m')  is  deliberately  par¬ 
tial;  some  states  have  no  successor  state.  In  these  states 


the  program  counter  r(pc)  points  to  an  illegal  instruction. 
Now  we  will  proceed  to  make  it  even  more  partial,  by 
defining  as  illegal  those  instructions  that  violate  our  safety 
policy. 

For  example,  suppose  we  wish  to  specify  a  safety  pol¬ 
icy  that  “only  readable  addresses  will  be  loaded,”  where 
the  predicate  readable  is  given  some  suitable  definion 
such  as 

readablc(x)  =  0  <  x  <  1000 

(sec  Appel  and  Felten  [2]  for  descriptions  of  security  poli¬ 
cies  that  are  more  interesting  than  this  one). 

We  can  add  a  new  conjunct  to  the  semantics  of  the  load 
instruction, 

load(/,y,c)  = 

Xr,  in ,  d , m' .  d{i)  =ni{r{j)  +  c) 

A  rcadablcjrjy)  -f  c) 

A  (Vx  ^  i.  d{x)  =  r(x))  A  m'  =  m. 

Now,  in  a  machine  state  where  the  program  counterpoints 
to  a  load  instruction  that  violates  the  safety  policy,  our 
step  relation  docs  not  relate  this  state  to  any  succes¬ 
sor  state  (even  though  the  real  machine  “knows  how”  to 
execute  it). 

Using  this  partial  step  relation,  we  can  define  safety;  a 
given  state  is  safe  if,  for  any  state  reachable  in  the  Klccnc 
closure  of  the  step  relation,  there  is  a  successor  state: 

safc-statc(r. />;)  = 

\fd.w'.  {r.in^*  d,in’)  =>  3/-".///'.  d,m'^r",in" 

A  program  is  just  a  sequence  of  integers  (representing 
machine  instructions);  we  say  that  a  program  p  is  loaded 
at  a  location  start  in  memory  in  if 

Un\dci\{p, in. start)  =  VfGdomjp).  in{i  +  start)  =  p{i) 

Finally  (assuming  that  programs  arc  written  in 
position-independent  code),  a  program  is  .safe  if,  no  mat¬ 
ter  where  we  load  it  in  memory,  we  get  a  safe  state: 

safc(/r)  = 

\/r. in.. start.  \oa(ic(i{p. in. start)  A  r{pc)  —  start  => 
safe-statc(r, /)() 

The  important  thing  to  notice  about  this  formulation  is 
that  there  is  no  verification-condition  generator.  The  syn¬ 
tax  and  semantics  of  machine  instructions,  implicit  in  a 
VCgcn,  have  been  made  explicit  -  and  much  more  con¬ 
cise  -  in  the  step  relation.  But  the  Floare  logic  of  machine 
instructions  and  typing  rules  for  function  parameters,  also 
implicit  in  a  VCgcn,  must  now  be  proved  as  lemmas  - 
about  which  more  later. 
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5  Proving  safety 


trust  the  assembler. 


In  a  sufficiently  expressive  logic,  as  we  all  know,  prov¬ 
ing  theorems  can  be  a  great  deal  more  difficult  than 
merely  stating  them  -  and  higher-order  logic  is  certainly 
expressive.  For  guidance  in  proving  safety  of  machine- 
language  programs  we  should  not  particularly  look  to  pre¬ 
vious  work  in  formal  verification  of  program  correctness. 
Instead,  we  should  think  more  of  type  checking:  auto¬ 
matic  proofs  of  decidable  safety  properties  of  programs. 

The  key  advances  that  makes  it  possible  to  generate 
proofs  automatically  are  typed  intermediate  languages 
[11]  and  typed  assembly  language  [14].  Whereas  con¬ 
ventional  compilers  type-check  the  source  program,  then 
throw  away  the  types  (using  the  lambda-calculus  principle 
of  erasure)  and  then  transform  the  program  through  pro¬ 
gressively  lower-level  intermediate  representations  until 
they  reach  assembly  language  and  then  machine  lan¬ 
guage,  a  type-preserving  compiler  uses  typed  intermedi¬ 
ate  languages  at  each  level.  If  the  program  type-checks 
at  a  low  level,  then  it  is  safe,  regardless  of  whether  the 
previous  (higher-level)  compiler  phases  might  be  buggy 
on  some  inputs.  As  the  program  is  analyzed  into  smaller 
pieces  at  the  lower  levels,  the  type  systems  become  pro¬ 
gressively  more  complex,  but  the  type  theory  of  the 
1 990’s  is  up  to  the  job  of  engineering  the  type  systems. 

source  code 


<s 


native  machine  code 


Conventional  Compiler 

TAL  was  originally  designed  to  be  used  in  a  certify¬ 
ing  compiler,  but  one  that  certifies  the  assembly  code  and 
uses  a  trusted  assembler  to  translate  to  machine  code.  But 
we  can  use  TAL  to  help  generate  proofs  in  a  PCC  system 
that  directly  verifies  the  machine  code.  In  such  a  system, 
the  proofs  are  typically  by  induction,  with  induction  hy¬ 
potheses  such  as,  “whenever  the  program-counter  reaches 
location  /,  the  register  3  will  be  a  pointer  to  a  pair  of  in¬ 
tegers.”  These  local  invariants  can  be  generated  from  the 
TAL  formulation  of  the  program,  but  in  a  PCC  system 
they  can  be  checked  in  machine  code  without  needing  to 
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Typing  rules  for  machine  language.  In  important  in¬ 
sight  in  the  development  of  PCC  is  that  one  can  write 
type-inference  rules  for  machine  language  and  machine 
states.  For  example,  Necula  [15]  used  rules  such  as 

m  'r  X  :  Xi  X  X2 
m  h  m{x)  :  T)  A  m{x  -f  1 )  :  T2 

meaning  that  if  jc  has  type  ii  x  T2  in  memory  m  -  meaning 
that  it  is  a  pointer  to  a  boxed  pair  -  then  the  contents  of 
location  x  will  have  type  Ti  and  the  contents  of  location 
jc-i- 1  will  have  type  Xt. 

Proofs  of  safety  in  PCC  use  the  local  induction  hy¬ 
potheses  at  each  point  in  the  program  to  prove  that  the 
program  is  typable.  This  implies,  by  a  type-soundness  ar¬ 
gument,  that  the  program  is  therefore  safe. 

If  the  type  system  is  given  by  syntactic  inference  rules, 
the  proof  of  type  soundness  is  typically  done  by  syntac¬ 
tic  subject  reduction  -  one  proves  that  each  step  of  com¬ 
putation  preserves  typability  and  that  typable  states  are 
safe.  The  proof  involves  structural  induction  over  typing 
derivations.  In  conventional  PCC,  this  proof  is  done  in  the 
metatheory,  by  humans. 

In  foundational  PCC  we  wish  to  include  the  type¬ 
soundness  proof  inside  the  proof  that  is  transmitted  to 
the  code  consumer  because  (1)  it’s  more  secure  to  avoid 
reliance  on  human-checked  proofs  and  (2)  that  way  we 
avoid  restricting  the  protocol  to  a  single  type  system.  But 
in  order  to  do  a  foundational  subject-reduction  theorem, 
we  would  need  to  build  up  the  mathematical  machinery  to 
manipulate  typing  derivations  as  syntactic  objects,  all  rep¬ 
resented  inside  our  logic  using  foundational  mathematical 
concepts  -  sets,  pairs,  and  functions.  We  would  need  to 
do  case  analyses  over  the  different  ways  that  a  given  type 
judgement  might  be  derived.  While  this  can  all  be  done, 
we  take  a  different  approach  to  proving  that  typability  im¬ 
plies  safety. 

We  take  a  semantic  approach.  In  a  semantic  proof  one 
assigns  a  meaning  (a  semantic  truth  value)  to  type  judge¬ 
ments.  One  then  proves  that  if  a  type  judgement  is  true 
then  the  typed  machine  state  is  safe.  One  further  proves 
that  the  type  inference  rules  are  sound,  i.e.,  if  the  premises 
are  true  then  the  conclusion  is  true.  This  ensures  that 
derivable  type  judgements  are  true  and  hence  typable  ma¬ 
chine  states  are  safe. 

The  semantic  approach  avoids  formalizing  syntactic 
type  expressions.  Instead,  one  formalizes  a  type  as  a  set 
of  semantic  values.  One  defines  the  operator  x  as  a  func¬ 
tion  taking  two  sets  as  arguments  and  returning  a  set.  The 
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above  type  inference  rule  for  pair  projection  can  then  be 
replaced  by  the  following  semantic  lemma  in  the  founda¬ 
tional  proof: 

_ bx  T|  X  T2 _ 

hm(x)  Xi  A  ni(x+  1)  T2 

Although  the  two  forms  of  the  application  type- 
inference  rule  look  very  similar  they  are  actually  signif¬ 
icantly  different.  In  the  second  rule  Xi  and  Xt  range  over 
semantic  sets  rather  than  type  expressions.  The  relation 
1=  in  the  second  version  is  defined  directly  in  terms  of  a 
semantics  for  assertions  of  the  form  x  x.  The  .second 
“rule”  is  actually  a  lemma  to  be  proved  while  the  first  rule 
is  simply  a  part  of  the  definition  of  the  syntactic  relation 
h.  For  the  purposes  of  foundational  PCC,  we  view  the  se¬ 
mantic  proofs  as  preferable  to  syntactic  subject-reduction 
proofs  because  they  lead  to  shorter  and  more  manageable 
foundational  proofs.  The  semantic  approach  avoids  the 
need  for  any  formalization  of  type  expressions  and  avoids 
the  formalization  of  proofs  or  derivations  of  type  judge¬ 
ments  involving  type  expressions. 

5.1  Semantic  models  of  types 


Building  .semantic  models  for  type  .systems  is  inter¬ 
esting  and  nontrivial.  In  a  first  attempt,  Amy  Fclty  and 
I  13]  were  able  to  model  a  pure-functional  (immutitble 
datatypes)  call-by-valuc  language  with  records,  address 
arithmetic,  polymorphism  and  abstract  types,  unitm  and 
intersection  types,  continuations  and  function  pointers, 
and  covariant  recursive  types. 

Our  simplest  semantics  is  set-theoretic:  a  type  is  a  set 
of  values.  But  what  is  a  value?  It  is  not  a  syntactic  con¬ 
struct,  as  in  lambda-calculus;  on  a  von  Neumann  machine 
we  wish  to  use  a  more  natural  representation  of  values  that 
corresponds  to  the  way  procedures  and  data  structures  are 
represented  in  practice.  This  way,  our  type  theory  can 
match  reality  without  a  layer  of  simulation  in  between. 
We  can  represent  a  value  as  a  pair  (/?).. v),  where  /ii  is  a 
memory  and  .v  is  an  integer  (typically  representing  an  ad¬ 
dress). 

To  represent  a  pointer  data  structure  that  occupies  a 
certain  portion  of  the  machine’s  memory,  we  let  ,v  be  the 
root  address  of  that  structure.  For  example,  the  boxed  pair 
of  integers  (5.7)  represented  at  address  108  would  be  rep¬ 
resented  as  the  value  ({ 108  i-~>  5. 109  7}.  108). 


A' 


//! 


To  represent  a  function  value,  we  let  a  be  the  entry  ad¬ 
dress  of  the  function;  here  is  the  function  /(a)  =  a  +  1, 
assuming  that  arguments  and  return  results  arc  passed  in 
register  1 : 


A 


20/ 


m 

nil 

4070 


r,  :=  r,-Hl 
jump(r7) 


This  model  of  values  would  be  sufficient  in  a  semantics 
of  statically  allocated  data  structures,  but  to  have  dynamic 
heap  allocation  we  must  be  able  to  indicate  the  set  a  of 
allocated  addresses,  such  that  any  modification  of  mem¬ 
ory  outside  the  allocated  set  will  not  disturb  already  al¬ 
located  values.  A  state  is  a  pair  [a.m),  and  a  value  is  a 
pair  ({o.m).x)  of  state  and  root-pointer.  The  allocsct  a 
is  virtual;  it  is  not  directly  represented  at  run  time,  but  is 
existentially  quantified. 


Limitations.  In  the  resulting  semantics  [3]  we  could 
model  heap  allocation,  but  we  could  not  model  mutable 
record-fields;  and  though  our  type  system  could  describe 
datatype  'a  list  =  nil 


I  : :  of  'a  *  'a  list 

we  ctHild  not  handle  recursions  where  the  type  being  de¬ 
fined  occurs  in  a  negative  (contravariant)  position,  as  in 
datatype  exp  =  APP  of  exp  *  exp 


LAM  of 


exp 


exp 


wbere  the  boxed  occurrence  of  exp  is  a  negative  occur¬ 
rence.  Contravariant  recursion  is  occasionally  useful  in 
ML,  but  it  is  the  very  essence  of  object-oriented  program¬ 
ming,  so  these  limitations  (no  mutable  fields,  no  con¬ 
travariant  recursion)  are  quite  restrictive. 


5.2  Indexed  model  of  recursive  types 


In  more  recent  work,  David  McAllcstcr  and  I  have 
shown  how  to  make  an  "indexed”  semantic  model  that  can 
describe  contravariant  recursive  types  |4],  Instead  of  say¬ 
ing  that  a  type  is  a  set  of  values,  we  say  that  it  is  a  set  of 
pairs  (A'.v)  where  k  is  an  approximation  index  and  v  is  a 
value.  The  judgement  {k.v)  G  x  means,  “v  approximately 
has  type  x,  and  any  program  that  runs  for  fewer  than  k  in¬ 
structions  can’t  tell  the  difference.”  The  indices  k  allow 
the  construction  of  a  well  founded  recursion,  even  when 
modeling  contravariant  recursive  types. 

The  type  system  works  both  for  von  Neumann  ma¬ 
chines  and  for  A.-calculus;  here  I  will  illustrate  the  latter. 
We  define  a  type  as  a  set  of  pairs  {k.  v)  where  k  is  a  non¬ 
negative  integer  and  is  a  value  and  where  the  set  X  is 
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such  that  if  {k,  v)  e  t  and  0<j<k  then  (j,v)  e  X.  For 
any  closed  expression  e  and  type  x  we  write  e  x  if  e  is 
safe  for  k  steps  and  if  whenever  e  i— v  for  some  value  v 
with  y  <  ^  we  have  {k  —  j,  v)  €  x;  that  is, 

e  :ii  T  =  V yVe'.  0  <  j  <  k  A  e  i— e'  A  nf(e')  => 
{k-j,e')ex 

where  nf(e')  means  that  e'  is  a  normal  form  —  has  no  suc¬ 
cessor  in  the  call-by-value  small-step  evaluation  relation. 

We  start  with  definitions  for  the  sets  that  represent  the 
types: 

JL  =  {} 

T  =  {(/t,v}  |/t>0} 

int  =  {(A:,0),{fc,l>,...  |fc>0} 

X|XT2  =  {{/c,(vi,V2))|Vy<fc.  {y,V|)eX|  A(y>2)€X2} 

o  ->  T  =  {(/cjXjc.e)  I  Vy  <  k'iv.  (y»  6  O  e\v/x]  :y  x} 
tiF  =  {{*,v)  I  (*,v)€F'+'(1)} 

Next  we  define  what  is  meant  by  a  typing  judgement. 
Given  a  mapping  F  from  variables  to  types,  we  write 
r  hit  e  :  a  to  mean  that 

Va.a  F  a(e)  -.k  a 

where  a(e)  is  the  result  of  replacing  the  free  variables  in  e 
with  their  values  under  substitution  o.  To  drop  the  index 
k,  we  define 

Fhe  ;  a  =  V^.  Fhite  :  a 

Soundness  theorem:  It  is  trivial  to  prove  from  these 
definitions  that  if  he  :  a  and  e  i->*  e'  then  e'  is  not 
stuck,  that  is,  e'  >— >  e” . 

Well  founded  type  constructors.  We  define  the  notion 
of  a  well  founded  type  constructor.  Here  I  will  not  give 
the  formal  definition,  but  state  the  informal  property  that 
if  F  is  well  founded  and  x  :  F(x),  then  to  extract  from  x 
a  value  of  type  x,  or  to  apply  x  to  a  value  of  type  x,  must 
take  at  least  one  execution  step.  The  constructors  x  and 
— >  are  well  founded. 

Typing  rules.  Proofs  of  theorems  such  as  the  following 
are  not  too  lengthy: 

Fh7ii(e):xi  Fh7i2(e):X2  Fhe  :  Xi  x  X2 

Fhe  :  Xi  x  X2  Fh7ii(e) :  Xi 

Fhei  :  a  — >  P  Fhe2  :  ot 

Fheie2  :  P 


Finally,  for  any  well  founded  type-constructor  F,  we  have 
equirecursive  types:  ^iF  =  F{ijF). 

Our  paper  [4]  proves  all  these  theorems  and  shows  the 
extension  of  the  result  to  types  and  values  on  von  Neu¬ 
mann  machines. 

5.3  Mutable  fields 

Our  work  on  mutable  fields  is  still  in  a  preliminary 
stage.  Amal  Ahmed,  Roberto  Virga,  and  I  are  investigat¬ 
ing  the  following  idea.  Our  semantics  of  immutable  fields 
viewed  a  “state”  as  a  pair  {a,m)  of  a  memory  m  and  a  set 
a  of  allocated  addresses.  To  allow  for  the  update  of  ex¬ 
isting  values,  we  enhance  a  to  become  a  finite  map  from 
locations  to  types.  The  type  a{l)  at  some  location  /  speci¬ 
fies  what  kinds  of  updates  at  that  location  will  preserve  all 
existing  typing  judgements.  Then,  as  before,  a  type  is  a 
predicate  on  states  {a,m)  and  root-pointers  x  of  type  inte¬ 
ger.  In  our  object  logic,  we  would  write  the  types  of  these 
logical  objects  as, 

allocset  =  num  ^  type 

value  =  allocset  x  memon'  x  num 
type  —  num  x  value  -+  o 

The  astute  reader  will  notice  that  the  metalogical  type  of 
“type”  is  recursive,  and  in  a  way  that  has  an  inconsistent 
cardinality:  the  set  of  types  must  be  bigger  than  itself. 
This  problem  had  us  stumped  for  over  a  year,  but  we  now 
have  a  tentative  solution  that  replaces  the  type  (in  the  al¬ 
locset)  with  the  Godel  number  of  a  type.  We  hope  to  re¬ 
port  on  this  result  soon;  we  are  delayed  by  our  general 
practice  of  machine-checking  our  proofs  in  Twelf  before 
submitting  papers  for  publication,  which  in  this  case  has 
saved  us  from  some  embarrassment. 

5.4  T^ped  machine  language 

Morrisett’s  typed  assembly  language  [14]  is  at  too  high 
a  level  to  do  proof-carrying  code  directly.  Kedar  Swadi, 
Gang  Tan,  Roberto  Virga,  and  I  have  been  designing 
a  lower-level  representation,  called  typed  machine  lan¬ 
guage,  that  will  serve  as  the  interface  between  compilers 
and  our  proven  In  fact,  we  hope  that  a  clean  enough  def¬ 
inition  of  this  language  will  shift  most  of  the  work  from 
the  proven  to  the  compiler’s  type-checker. 

In  order  to  avoid  overspecializing  the  typed  machine 
language  (TML)  with  language-specific  constructs  such 
as  records  and  disjoint-union  variants,  our  TML  will  use 
very  low-level  typing  primitives  such  as  union  types,  in¬ 
tersection  types,  offset  (address-arithmetic)  types,  and  de- 
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pendent  types.  This  will  make  type-checking  of  TML  dif¬ 
ficult;  we  will  need  to  assume  that  each  compiler  will  have 
a  source  language  with  a  decidable  type  system,  and  that 
translation  of  terms  (and  types)  will  yield  a  witness  to  the 
type-checking  of  the  resultant  TML  representation. 

Abstract  machine  instructions.  One  can  view  ma¬ 
chine  instructions  at  many  levels  of  abstraction; 

1.  At  the  lowest  level,  an  instruction  is  just  an  integer, 
an  opcode  encoding. 


Hoare  logic.  In  reasoning  about  machine  instructions  at 
a  higher  level  of  abstraction,  notions  from  Hoare  logic 
are  useful:  preconditions,  postconditions,  and  substition. 
Without  adding  any  new  axioms,  we  can  define  a  notion 
of  predicates  on  states  to  serve  as  preconditions  and  post¬ 
conditions,  and  substitution  as  a  relation  on  predicates. 
But  this  can  rapidly  become  inefficient,  leading  to  proofs 
that  are  quadratic  or  exponential  in  size.  Kedar  Swadi, 
Roberto  Virga,  and  I  have  taken  some  steps  in  lemma- 
tizing  substitution  so  that  proofs  don’t  blow  up  [5];  in- 
tere.sting  related  work  has  been  done  in  Compaq  SRC’s 
extended  static  checker  [9]. 


2.  At  the  next  level,  it  implements  a  relation  on  raw  ma¬ 
chine  states  (r.ni) 

3.  At  a  higher  level,  we  can  say  that  the  Sparc  add  in¬ 
struction  implements  a  machine-independent  notion 
oi  add,  and  similarly  for  other  instruction. 

4.  Then  we  can  view  add  as  manipulating  not  just  regis¬ 
ters.  but  local  variables  (which  may  be  implemented 
in  registers  or  in  the  activation  record). 

5.  We  can  view  this  instruction  as  one  of  various  typed 
instructions  on  typed  values;  in  the  usual  view,  add 
has  type  int  x  int  — >  int,  but  the  addres.s-arithmctic 
add  has  type 

(T(i  X  ti  X  ...  X  t„)  X  const(/)  (x/  x  X/..  i  x  . . .  x  x„) 

for  any  i.  .v 
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6.  Finally,  wc  can  specialize  this  typed  add  to  the  par¬ 
ticular  context  where  some  instance  of  it  appears,  for 
example  hy  instantiating  the  /,  n,  and  x,-  in  the  previ¬ 
ous  example. 

Abstraction  level  I  is  used  in  the  statement  of  the  theorem 
(safety  of  a  machine-language  program  p).  Abstraction 
level  5  is  implicitly  used  in  conventional  proof-carrying 
code  [15].  Our  ongoing  research  involves  finding  seman¬ 
tic  models  for  each  of  these  levels,  and  then  proving  lem¬ 
mas  that  can  convert  between  assertions  at  the  different 
levels. 


Software  engineering  practices.  We  define  all  of  these 
abstraction  levels  in  order  to  modularize  our  proofs.  Since 
our  approach  to  PCC  shifts  most  of  the  work  to  the  hu¬ 
man  prover  of  static,  machine-checkable  lemmas  about 
the  programming  language’s  type  system,  we  find  it  im¬ 
perative  to  use  the  same  software  engineering  practices  in 
implementing  proofs  as  arc  used  in  building  any  large  sys¬ 
tem.  The  three  most  important  practices  arc  (1)  abstrac¬ 
tion  and  modularity,  (2)  abstraction  and  modularity,  and 
(3)  abstraction  and  modularity.  At  prc.scnt,  wc  have  about 
thirty  thousand  lines  of  machine-checked  proofs,  and  wc 
would  not  be  able  to  build  and  maintain  the  proofs  without 
a  well  designed  modularization. 


6  Pruning  the  runtime  system 

Just  as  bugs  in  the  compiler  (of  a  conventional  system) 
or  the  proof  checker  (of  a  PCC  system)  can  create  security 
holes,  so  can  bugs  in  the  runtime  system:  the  garbage  col¬ 
lector,  debugger,  marshaller/unmarshallcr,  and  other  com¬ 
ponents.  An  important  part  of  research  in  Foundational 
PCC  is  to  move  components  from  the  runtime  system  to 
the  type-checkable  user  code.  Then,  any  bugs  in  such 
components  will  either  be  detected  by  type-checking  (or 
proof-checking),  or  will  be  type-safe  bugs  that  may  cause 
incorrect  behavior  but  not  insecure  behavior. 

Garbage  collectors  do  two  strange  things  that  have 
made  them  difficult  to  express  in  a  type-safe  language: 
they  allocate  and  deallocate  arenas  of  memory  contain¬ 
ing  many  objects  of  different  types,  and  they  traverse  (and 
copy)  objects  of  arbitrary  user-chosen  types.  Daniel  Wang 
has  developed  a  solution  to  these  problems  [22],  based  on 
the  motto. 

Garbage  collection  =  Regions  -t-  Intensional  types. 
That  is,  the  region  calculus  of  Tofte  and  Talpin  [20]  can 


254 


be  applied  to  the  problem  of  garbage  collection,  as  no¬ 
ticed  in  important  recent  work  by  Walker,  Crary,  and  Mor- 
risett  [21];  to  traverse  objects  of  unknown  type,  the  inten- 
sional  type  calculi  of  originally  developed  by  Harper  and 
Morrisett  [1 1]  can  be  applied.  Wang’s  work  covers  the 
region  operators  and  management  of  pointer  sharing;  re¬ 
lated  work  by  Monnier,  Saha,  and  Shao  [13]  covers  the 
intensional  type  system. 

Other  potentially  unsafe  parts  of  the  runtime  system 
are  ad  hoc  implementations  of  polytypic  functions  -  those 
that  work  by  induction  over  the  structure  of  data  types 
-  such  as  polymorphic  equality  testers,  debuggers,  and 
marshallers  (a.k.a.  serializers  or  picklers).  Juan  Chen  and 
I  have  developed  an  implementation  of  polytypic  primi¬ 
tives  as  a  transformation  on  the  typed  intermediate  repre¬ 
sentation  in  the  SML/NJ  compiler  [6].  Like  the  Xr  trans¬ 
formation  of  Crary  and  Weirich  [8]  it  allows  these  poly¬ 
typic  functions  to  be  typechecked,  but  unlike  their  calcu¬ 
lus,  ours  does  not  require  dependent  types  in  the  typed 
intermediate  language  and  is  thus  simpler  to  implement. 


7  Conclusion 

Our  goal  is  to  reduce  the  size  of  the  trusted  comput¬ 
ing  base  of  systems  that  run  machine  code  from  untrusted 
sources.  This  is  an  engineering  challenge  that  requires 
work  on  many  fronts.  We  are  fortunate  that  during  the 
last  two  decades,  many  talented  scientists  have  built  the 
mathematical  infrastructure  we  need  -  the  theory  and  im¬ 
plementation  of  logical  frameworks  and  automated  theo¬ 
rem  provers,  type  theory  and  type  systems,  compilation 
and  memory  management,  and  programming  language 
design.  The  time  is  ripe  to  apply  all  of  these  advances 
as  engineering  tools  in  the  construction  of  safe  systems. 
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Abstract 

We  formulate  a  Gentzen-sty^le  sequent  calculus  for  par¬ 
tial  correctness  that  subsumes  propositional  Hoare  Logic. 
The  system  is  a  noncommutative  intuitionistic  Linear  Logic. 
We  prove  soundness  and  completeness  over  relational  and 
trace  models.  As  a  corollary  we  obtain  a  complete  sequent 
calculus  for  inclusion  and  equivalence  of  regular  expres¬ 
sions. 


1  Introduction 

In  formulating  logics  for  program  verification  such  as 
Hoare  Logic  (HL),  Dynamic  Logic  (DL),  or  Kleene  Algebra 
with  Tests  (KAT),  it  is  tempting  to  treat  tests  and  correctness 
assertions  as  a  uniform  syntactic  category.  This  temptation 
is  best  resisted:  although  both  are  classes  of  assertions,  they 
have  quite  different  characteristics.  Tests  are  local  asser¬ 
tions  whose  truth  is  determined  by  the  current  state  of  exe¬ 
cution.  They  are  normally  immediately  decidable.  The  as¬ 
sertion  a;  >  0,  where  x  is  a  program  variable,  is  an  example 
of  such  a  test.  Tests  occur  in  all  modern  programming  lan¬ 
guages  as  part  of  conditional  expressions  and  looping  con¬ 
structs.  Correctness  assertions,  on  the  other  hand,  are  state¬ 
ments  about  the  global  behavior  of  a  program,  such  as  par¬ 
tial  correctness  or  halting.  They  are  typically  much  richer 
in  expressive  power  than  tests  and  undecidable  in  general. 

DL  does  not  distinguish  between  these  two  categories  of 
assertions.  The  two  are  freely  mixed,  and  both  are  treated 
classically.  For  this  reason,  the  resulting  system  is  unnec¬ 
essarily  complex  for  its  purposes.  The  rich-test  version  of 
DL,  in  which  one  can  convert  an  arbitrary  correctness  as¬ 
sertion  to  a  test  using  the  operator  ?,  is  11} -complete  (see 
[9]).  Even  with  systems  that  do  make  the  distinction,  such 
as  KAT,  care  must  be  taken  not  to  inadvertently  treat  global 
properties  as  local;  doing  so  can  lead  to  anomalies  such  as 
the  Dead  Variable  Paradox  [13]. 

One  major  distinguishing  factor  between  tests  and  cor¬ 
rectness  assertions  that  may  not  be  immediately  apparent  is 
that  the  former  are  classical  in  nature,  whereas  the  latter  are 
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intuitionistic.  For  example,  the  DL  axiom 
[p][q]b  =  [p;q]b 

can  be  regarded  as  a  noncommutative  version  of  the  intu¬ 
itionistic  currying  rule 

p  ^  q  b  =  p  Aq  ^  b. 

Godel  [8]  first  observed  the  strong  connection  between 
modal  and  intuitionistic  logic,  foreshadowing  Kripke’s  for¬ 
mulation  of  similar  state-based  semantics  for  these  logics 
[16,  17]  (see  [1]).  Kripke  models  also  form  the  basis  of  the 
standard  semantics  of  DL(see  [9]),  although  as  mentioned, 
DL  does  not  realize  the  intuitionistic  nature  of  partial  cor¬ 
rectness. 

In  this  paper  we  give  a  Gentzen-style  sequent  calculus 
S  that  clearly  separates  partial  correctness  reasoning  into 
its  classical  and  intuitionistic  parts.  In  Section  4,  where  we 
introduce  the  system,  we  will  explain  why  we  view  partial 
correctness  reasoning  in  S  as  intuitionistic  rather  than  clas¬ 
sical.  System  S  has  the  flavor  of  a  noncommutative  intu¬ 
itionistic  Linear  Logic  and  is  in  some  ways  related  to  a  sys¬ 
tem  of  Girard  [6,  7].  It  is  linear  because  expressions  cannot 
be  indiscriminately  duplicated  or  eliminated. 

The  system  does  not  contain  any  contraction  rules.  The 
linear  implication  operator  takes  only  programs  as  left  ar¬ 
gument,  while  arbitrary  partial  correctness  formulas  can  oc¬ 
cur  on  the  right.  There  is  a  very  limited  way  in  which  the 
weakening  rule  for  programs  can  be  used — programs  can 
be  inserted  only  at  front  of  an  environment.  There  is  a  co¬ 
contraction  rule;  a  program  of  the  form  already  present 
in  the  environment  can  be  duplicated.  Troelstra  [20,  p.  25] 
remarks  that  contraction  has  more  dramatic  proof  theoretic 
consequences  than  weakening  when  added  to  Linear  Logic. 

We  give  relational  and  trace  semantics  for  this  logic 
and  show  how  the  logic  captures  partial  correctness.  We 
then  prove  soundness  and  completeness  over  both  classes  of 
models.  As  a  corollary  we  obtain  a  complete  sequent  calcu¬ 
lus  for  inclusion  and  equivalence  of  regular  expressions. 

We  mention  that  our  two  equivalent  semantics  of  Section 
3  are  both  special  cases  of  a  more  general  approach  to  the 
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semantics  of  noncommutative  Linear  Logic  via  quantalcs 
[21],  We  restrict  our  attention  to  two  special  kinds  of  quan- 
tales:  sets  of  traces  and  binary  relations.  Our  completeness 
result  is  thus  stronger  than  it  would  be  for  the  more  general 
semantics  based  on  arbitrary  quantalcs. 

2  Syntax 

The  syntax  of  S  comprises  several  syntactic  categories. 
These  will  require  some  intuitive  explanation,  which  we  de¬ 
fer  until  after  the  formal  definition.  In  particular  we  dis¬ 
tinguish  between  two  kinds  of  propositions,  which  we  call 
tests  and  formulas. 


tests 

b,c,d. . . 

b  : 

(atomic  tests)  |  1 

6  c 

programs 

p,  q,  r, . . 

■  P  ■■ 

:=  (atomic  programs)  |  b 

1  p  U  ry  1  p  g:  q  \  p+ 

formulas 

p,  tjj,... 

p  : 

:=  &  1  ^  p 

environments 

sequents 

r,A,... 

FFp 

r  : 

:=  £  1  r,p  1  r,p 

In  the  above  grammar,  — ^  is  called  linear  implication,  is 
a  noncommutative  multiplicative  connective  called  tensor. 
U  is  a  commutative  additive  connective  called  cli.sjunction. 
and  is  a  unary  operation  called  positive  iteration.  We  use 
brackets  where  necessary  to  ensure  unique  readability.  We 
abbreviate  6  — >  1  by  6,  I.  by  1,  /;  q  by  pq,  and  1  U  p"*" 
byp*. 

Several  formalisms,  such  as  PDL  [5]  and  KAT  [  14],  are 
based  on  *  rather  than  +.  We  can  freely  move  between  the 
two  languages  since  *  and  +  are  mutually  definable: 

p  =  1  U  p^  p^  =  pp  . 

For  this  reason,  models  for  one  language  can  be  viewed  as 
models  for  the  other. 

We  base  S  on  +  instead  of  *  because  the  resulting  de¬ 
ductive  system  is  cleaner — it  contains  no  contraction  rule' . 
This  is  perhaps  due  to  the  fact  that  +  can  be  viewed  as  a 
more  primitive  operation  than  *. 

A  test  is  cither  an  atomic  test,  the  symbol  ±  represent¬ 
ing  falsity,  or  an  expression  b  — ^  c;  representing  classical 
implication,  where  b  and  c  arc  tests.  We  use  the  symbols 
b,c,d, . . .  exclusively  to  stand  for  tests.  The  set  of  all  tests 
is  denoted  B.  The  sequent  calculus  to  be  presented  in  Sec¬ 
tion  4  will  encode  classical  propositional  logic  for  tests. 

A  program  is  cither  an  atomic  program,  a  test,  or  an  ex¬ 
pression  p  U  (/,  p  (g)  q,  or  P+,  where  p  and  q  are  programs. 
We  use  the  symbols  p,  q,  r, . . .  exclusively  to  stand  for  pro¬ 
grams.  The  set  of  all  programs  is  denoted  V.  As  in  PDL 

'  In  fact,  one  of  the  natural  rules  for  *  is  a  co-weakening  rule,  which  is 
a  strong  form  of  a  contraction  rule. 


[5],  the  program  operators  can  be  used  to  construct  con¬ 
ventional  procedural  programming  constructs  such  as  con¬ 
ditional  tests  and  while  loops. 

A  formula  is  either  a  test  or  an  expression  p  — >•  <p,  read 
“after  p,  p,”  where  p  is  a  program  and  p  is  a  formula.  In¬ 
tuitively,  the  meaning  is  similar  to  the  DL  modal  construct 
[/;]  p.  The  operator  associates  to  the  right.  We  use  the 
symbols  p,  f), ...  to  stand  for  formulas. 

Environments  arc  denoted  T,  A, . . .  .  An  environment 
is  a  (possibly  empty)  sequence  of  programs  and  formulas. 
The  empty  environment  is  denoted  e.  Intuitively,  an  envi¬ 
ronment  describes  a  previous  computation  that  has  led  to 
the  current  state. 

Sequents  arc  of  the  form  T  h  p,  where  T  is  an  en¬ 
vironment  and  p  is  a  formula.  We  write  F  p  for 

c  h  p.  Intuitively,  the  meaning  of  T  F  p  is  similar 

to  the  DL  assertion  [Tjp.  where  we  think  of  the  envi¬ 

ronment  r  =  . . .  ,p. . . .  ,  V, ...  as  the  rich-test  program 
•  •  •  :;);•••  ;  p''’;  •  •  •  of  DL. 

The  partial  correctness  assertion  {6}  p  (f)  of  ML  is  en¬ 
coded  by  the  formula  b  p  c.  The  Hoare-stylc  rule 

{/;i}pi  {oi}.  ...  ,  {b,,}  p„  {(•„} 

{(;}p{e} 

is  encoded  by  the  sequent 

bi  Pi  —>0: . b„  pii  —>  r,,  F  b  p  c. 

It  follows  from  Theorem  6.1  that  all  relationally  valid  rules 
of  this  form  are  derivable;  this  is  false  I'm'  HL  (sec  [11,  15 1). 

3  Semantics 

3.1  Guarded  Strings 

Guarded  strings  over  P,  B  were  introduced  in  [  14|.  We 
review  the  definition  here. 

Let  B  =  {^1 :  ■  •  •  ,  hr}  ^md  P  =  {pi , . . .  ,  p,„  }  be  fixed 
finite  sets  of  atomic  tests  and  atomic  programs,  respectively. 
An  atom  of  B  is  a  program  fj  •  •  ■  Ca-  such  that  (,  is  cither  bj 
or  bj.  We  require  for  technical  reasons  that  the  occur  in 
this  order.  An  atom  represents  a  minimal  nonzero  clement 
of  the  free  Boolean  algebra  on  B.  We  denote  by  y4B  the  set 
of  all  atoms  of  B.  For  an  atom  a  and  a  test  b,  we  write  a  <  b 
if  o  — >  6  is  a  classical  propositional  tautology. 

A  guarded  string  is  a  sequence 

where  n  >  0,  each  n,  e  and  f/,  e  P.  We  define 
first((T)  =  oo  and  last(cr)  =  o„. 

If  last(fT)  =  first(r),  we  can  form  [he  fusion  product 
(TT  by  concatenating  rr  and  r,  omitting  the  extra  copy  of 
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last((T)  =  first(r)  in  between.  For  example,  if  cr  =  apP 
and  r  =  Pq'y,  then  err  =  apPqj.  If  last((T)  ^  first(r), 
then  OT  does  not  exist. 

For  sets  X,  Y  of  guarded  strings,  define 

X  o  y  {err  I  O'  £  X,  T  6  y,  err  exists} 

X°  ,4b,  X”+i  XoX". 

Although  fusion  product  is  a  partial  operation  on  guarded 
strings,  the  operation  o  is  a  total  operation  on  sets  of 
guarded  strings.  If  there  is  no  existing  fusion  product  be¬ 
tween  an  element  of  X  and  an  element  of  Y,  then  X  oY  = 
0. 

Each  program  p  denotes  a  set  GS(p)  of  guarded  strings: 


GSip) 

def 

{apP  \a,PE  ,4b}, 

p  atomic 

GSib) 

def 

{q  €  .4b  1  a  <  b}, 

b  a  test 

GSip  U  q) 

def 

GSip)  U  GSiq) 

GSip  ®  q) 

GSip)  0  GSiq) 

GSip+) 

def 

U  GSip)\ 

n>l 

It  follows  that  GS{p*)  =  Un>o  GS{p)”.  A  guarded  string 
a  is  itself  a  program,  and  GS(a)  =  {a}. 

A  set  of  guarded  strings  over  P,  B  is  regular  if  it  is 
GS (p)  for  some  program  p.  The  regular  sets  of  guarded 
strings  form  the  free  Kleene  algebra  with  tests  on  genera¬ 
tors  P,  B  [14];  in  other  words,  GS{p)  =  GS{q)  iff  p  =  g  is 
a  theorem  of  KAT. 

Lemma  3.1  The  regular  sets  of  guarded  strings  are  closed 
under  the  Boolean  operations. 

Proof  Closure  under  0  and  union  are  explicit  by  means 
of  the  constructs  ±  and  U.  It  was  shown  in  [14]  that  for 
any  program  p,  there  is  an  equivalent  program  p  such  that 
GS{p)  =  GS{p)  =  R{p),  where  R{p)  is  the  regular  set  of 
strings  over  the  alphabet  PuBu{6|6eB}  denoted  by 
p  under  the  usual  interpretation  of  regular  expressions.  For 
example,  if  ru  =  (pi  U  ■  •  •  U  p^)*,  we  might  take  w  = 
(6(pi  U  •  ■  ■  U  Pm))*b,  where  6  =  (6i  U  6i)  •  ■  •  (6*  U  bk). 
The  set  GS{w)  =  GS{w)  =  R{w)  is  the  set  of  all  guarded 
strings. 

It  remains  to  show  closure  under  complement;  closure 
under  intersection  follows  by  the  De  Morgan  laws.  Let  p' 
be  an  expression  such  that  R{p')  =  R{w)  —  R{p}.  The 
expression  p'  exists  since  the  regular  sets  of  strings  over  P  U 
B  U  {6  I  6  G  B}  are  closed  under  the  Boolean  operations. 
Then  i?(p')  is  a  set  of  guarded  strings  since  R{w)  is,  and 

GS{p')  =  Rip')  =  Riw)  -  Rip)  =  GSiw)  -  GSip). 


3.2  Trace  Models 

Traces  are  similar  to  guarded  strings  but  more  general. 
They  are  defined  in  terms  of  Kripke  frames.  A  Kripke  frame 
over  P,B  is  a  structure  (X,  mx),  where 

Elements  of  K  are  called  states.  A  trace  in  X  is  a  sequence 
of  the  form  soffiSi  ■  •  ■  Sn-ignSn,  where  n  >  0,  Si  E  K, 
qi  G  P,  and  (si,Si+i)  G  mxiqi+i)  for  0  <  r  <  n  - 
1.  The  first  and  last  states  of  a  are  denoted  first(cr)  and 
last((T),  respectively.  If  last((T)  =  first(T),  we  can  fuse 
a  and  r  to  get  the  trace  err.  If  last((T)  first(r)  then 
err  does  not  exist.  A  trace  so9iSi  ■  •  ■  Sn-ignSn  is  acyclic 
if  the  Si  are  distinct.  The  model  X  is  acyclic  if  all  traces 
are  acyclic.  It  is  no  loss  of  generality  to  restrict  attention 
to  acyclic  models;  every  model  is  equivalent  to  an  acyclic 
model  obtained  by  “unwinding”  the  original  model  (see  [9, 
p.  132]  for  an  explicit  construction). 

If  X  and  y  are  sets  of  traces,  define 

X  o  y  {ar  \  a  E  X,  T  eY,  ar  exists} 

X°  X,  X'>+’  =  XoX'L 

Tests,  programs,  formulas,  and  environments  are  interpreted 
as  sets  of  traces  according  to  the  following  inductive  defini¬ 
tion; 


[(pIa- 

C^f 

{spt  is,t)  E  mA'(p)},  p  atomic 

[[6I1k 

ckf 

mxib),  6  atomic 

[[IEk 

d^f 

0 

Ep  U  q]]x 

(^f 

[[p]]/r  U  \[q]]K 

Up  ®  q]\K 

def 

[[pllAT  0  iqJlK 

Ip+Iic 

def 

U  wVk 

n>l 

Up  ->  <PliK 

def 

{s  Vr  first(r)  =  s  and  r  £  EpIa' 
last(T)  £  [[ipllA'} 

def 

X 

[[r,A]].^ 

def 

[[FIa:  0  [[A]]a. 

It  follows  that 


[I6]]k  =  X  —  [[b]ix 
ILUk  =  X 
[[p*]]/c  =  U  Wk- 

n>0 

Every  trace  a  has  an  associated  guarded  string  gs(cr)  de¬ 
fined  by 


I 


gs(sogiSi  •  ■  •  Sfi—iq^iSfi)  —  crogicri  •  ■  * 
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where  o;  is  the  unique  atom  of  B  such  that  s,  G  [[0:^]]^:. 
Thus  gs((7)  is  the  unique  guarded  string  over  P,  B  such  that 
^  [[gs(cr)]]K. 

The  sequent  T  P  (yj  is  valid  in  the  trace  model  K  if  for 
all  traces  cr  €  [[Tll/^:,  last(o')  G  [[(/sl/c;  equivalently,  if 

ir]]K  c  [[r,vj]]K. 

The  relationship  between  trace  semantics  and  guarded 
strings  is  given  by  the  following  lemma. 

Lemma  3.2  In  any  trace  model  K,  for  any  program  p  and 
tracer,  r  G  EpI/c  fj^gs(r)  G  GS{p).  In  other  words, 
IIpIIa'  =  gf’~'(G5(p)).  The  map  X  i->  gs^*  (A')  k  a  KAT 
homomorphism  from  the  algebra  of  regular  sets  of  guarded 
strings  to  the  algebra  of  regu  lar  sets  of  traces  over  K. 

Proof.  Induction  on  the  structure  of  p.  I 

3.3  Relational  Models 

Kripke  frames  {K,  mjc)  also  give  rise  to  relational  mod¬ 
els.  In  a  relational  model,  tests,  programs,  formulas,  and  en¬ 
vironments  arc  interpreted  as  binary  relations  on  K.  Tests 
and  formulas  denote  subsets  of  the  identity  relation. 


[plA- 

clef 

mA-(p),  p  atomic 

[ilA 

clef 

clef 

{(,s,.s)  .s  G  mA-(6)},  6atomic 

[  -L  ]  A 

0 

[;j  u  (i]ic 

[plA  U  [(■/]/,- 

Ip  »  17  ]  A 

c[p^f 

[75]  A  0  [<7]a 

iF+lA 

clef 

U  wr< 

71  >1 

ip  P’Ja 

dej 

{(.s,.s)  1  Vf  {.s,f)  G  [7;]  A 

=>  {t,t)  G  [¥5] a} 

[£]a 

clef 

{(.s,.s)  1  s-  G  A'} 

clef 

[TIa-o  [A]/,-. 

Here  o  denotes  ordinary  composition  of  binary  relations.  It 
follows  that 

I  (.s,.s)  ^  [&]a-} 

[1]a  =  {(s,s)  I  .s  G  A'} 

[/]a-  =  U 

n>0 

Writing  s  p  for  (.s,.s)  G  [p]K,  the  defining  clause  for 
p  p  becomes 

s  b  p  ->  (y?  yt  {s,t)  e  [p] t  p  p, 

thus  the  meaning  of  p  p  is  essentially  the  same  as  the 
meaning  of  the  box  formula  [p]  p  of  DL. 


The  sequent  T  h  ip  is  valid  in  the  relational  model  on 
(K,  m^)  if  for  all  s,t  G  K,  if  (s,t)  G  [Tlif,  then 
{t,t)  G  [p]Ki  equivalently,  if  the  DL  formula  [T]p  is 
true  in  all  states  under  the  rich-test  semantics  [5],  where  the 
environment  T  =  . . .  ,p, . . .  ,  •  is  interpreted  as  the 

rich-test  program  ■  •  ■  ;  p;  •  •  •  ;  . 

3.4  Relationship  between  Trace  and  Relational 
Models 

It  can  be  shown  by  induction  on  syntax  that  the  map 

r:X  {(first((T),last(a))  I  cr  G  X} 

from  sets  of  traces  on  K  to  binary  relations  on  K  maps 
HpIIa  to  [pile  and  iip'^K  to  [<p]a',  using  the  fact  that  r 
commutes  with  the  operators  U  and  0  on  sets  of  traces  and 
binary  relations.  It  follows  that  validity  over  relational  mod¬ 
els  is  the  same  as  validity  over  trace  models.  We  include 
thc.se  remarks  to  establish  the  connection  with  the  standard 
relational  semantics  of  DL. 

4  A  Deductive  System 

The  rules  of  System  S  arc  given  in  Figure  1.  All  rules 
arc  of  the  form 

Tl  p  <Pl  ...  Tn\-  pn 

r\-p 

The  sequents  above  the  line  are  the  premises  and  the  sequent 
below  the  line  is  the  conclusion.  Since  programs  cannot 
occur  positively  on  the  right  hand  side  of  P,  the  system  has 
introduction  and  elimination  rules  on  the  left  of  P. 

We  will  use  the  notation  T  P  ip  ambiguously  as  both 
an  object  and  a  meta-assertion.  As  an  object  it  denotes  a 
sequent,  i.e.  a  sequence  of  symbols  over  the  appropriate  vo¬ 
cabulary,  As  a  meta-assertion  it  says  that  the  sequent  T  P  ip 
is  provable  in  S.  In  particular,  T  P  ip  means  that  the  sequent 
r  P  ip  is  not  provable  in  S.  The  proper  interpretation  should 
always  be  clear  from  context. 

A  rule  is  admissible  if  for  any  substitution  instance  for 
which  the  premises  arc  provable,  the  conclusion  is  also 
provable.  The  proof  of  the  conclusion  may  depend  on  the 
structure  of  the  expressions  substituted  for  the  metasymbols 
appearing  in  the  rule  or  on  the  proofs  of  the  premises.  To 
show  admissibility,  it  suffices  to  derive  the  conclusion  in  S 
augmented  with  the  premises  as  extra  axioms,  considering 
the  mctasymbols  appearing  in  the  rule  as  atomic  symbols 
in  the  object  language.  Any  such  derivation  will  then  be 
uniformly  valid  over  all  substitution  instances. 
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Axiom:  6  F  c,  where  6  -4  c  is  a  classical 

propositional  tautology 

Arrow  Rules: 

(R-4) 

r,p  F  p 

r  h  p  -4  ip 

(I  -^) 

r,p,F’,  A  F  p 

r,p  v^p,  A  h  p 

Introduction  Rules: 

(1®) 

r,p,g,  A  F  p 
r,p  ®  7,  A  F  (p 

(I  U) 

r,p,  A  F  (p  r,  g,  A  h  (p 

r,  p  U  g,  A  h  p 

(1 1) 

r,i,  A  h-  ip 

(1+) 

g-><p,pF(p  g-4(p,p,gFp 

q  ->  p,p+  F  p 

Elimination 

Rules: 

(E®) 

r,p  ®  g,  A  F  ip 
r,p,g,  A  F  (p 

(E+) 

r,p'*',  A  F  p 
r,p,  A  F  p 

(El  U) 

r,p  U  g,  A  F  p 
r,p,  A  F  p 

(E2  U) 

r,p  U  g,  A  F  p 
r,  g,  A  F  p 

Structural  Rules: 

{■wpb 

r,AFp 
r,T/j,  A  F  p 

(Wp) 

r  F  p 

p,  r  F  p 

(CC+) 

r,  p"*",  A  F  p 
r, P+, P+,  A  F  p 

Cut  Rule: 

(cut) 

T  Ip  r, )/),  A  F  p 

r,AFp 

Figure  1.  Rules  of  System  S 


4.1  Basic  Properties 


Lemma  4.1  The  rule 


(El) 


r,l,Ahy) 


is  admissible. 


Proof.  From  (I  i.)  and  (R  — >)  we  get  F  h  1.  The  desired 
conclusion  follows  from  (cut).  I 

Lemma  4.2  The  rule  and  sequent 

i.p\-  lb 

(mono)  - ^ - -  (ident)  (p  F 

p  ^  if  \-  p  ^ 

are  admissible. 


Proof  The  following  diagram  gives  a  proof  of  (mono). 


(W  p) 


ip  h  Ip 

'4’ 

p  —>■  ip,p  F  Ip 
p  ^  p  p  —>  ip 


(i->) 

(R-» 


The  identity  sequent  (ident)  follows  by  induction  on  the 
structure  of  p  using  (mono).  The  basis  6  F  b  is  an  instance 
of  the  axiom.  ■ 


Lemma  4.3  The  rules 


(MP) 


r  F  p  — > 
r,p  F  p 


are  admissible. 


(Wl) 


FF  1 
r,pFl 


Proof.  For  (MP),  we  have  p  \-  phy  Lemma  4.2.  The 
following  figure  gives  the  remainder  of  the  derivation. 


p,p\-  p 


(W  p) 


:  (Wp).  (Wt/-o 


r,p,ip  F  p 

r  F  p p  r,p -4- (p,p  F  <p 
r,p  F  p 


(i->) 

(cut) 


To  derive  (W  ±),  the  sequent  F,  _L,p  F  _L  is  an  instance 
of  (I  T).  Applying  (cut)  to  this  and  the  premise  F  F  I. 
yields  the  desired  conclusion.  I 


We  wish  to  pause  and  discuss  briefly  why  we  view  par¬ 
tial  correctness  reasoning  in  S  as  intuitionistic  rather  than 
classical.  It  is  not  immediately  obvious,  since  formulas  are 
of  the  form  pi  -4  ■  •  •  -4  p„  — >  6,  where  pi , . . .  ,  p„  are  pro¬ 
grams  and  6  is  a  test.  In  particular,  formulas  are  not  closed 
under  implication.  But  we  can  argue  that  the  implication  in 
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the  formula  p  — >•  ip  has  intuitionistic  flavor  by  considering 
the  rules  that  introduce  implication.  Rule  (R  ->)  is  a  typical 
rule  of  introduction  of  implication  on  the  right  of  h.  Rule 
(I  — >■)  is  not  so  typical,  but  it  can  be  shown  that  this  rule  is 
derivable  from  (ident),  (MP),  (W  ijj),  (W  p),  and  (cut)  as 
follows, 

p  il)  p  ^  i!) 

- ] - i — ^ 

p  y> ,  p  t  yj 

:  (VVi/').(Wp)  r,p,yyA  \-  (p 

r,  p  ->■  Vb  p  h  '0  r,  p  ->  y'>^p, 

- — - - - - -  (cut) 

r,p  -)■  iIj,p,a  h  p 


4.2  Relation  to  Kleene  Algebra 

We  show  in  this  section  that  S  induces  a  left-handed 
Kleene  algebra  structure  on  programs.  Recall  that  a  Kleene 
algebra  (KA)  is  an  idempotent  semiring  such  thatp*(/  is  the 
least  solution  to  -f  px  <  x  and  qp*  is  the  least  solution  to 
q-\-xp  <  X.  Equivalently,  a  Kleene  algebra  is  an  idempotent 
semiring  satisfying 

1  -p  pp*  =  H-p*p  =  p  (1) 

px  <  X  ->  p*x.  <  X  (2) 

xp  <  X  — >  xp*  <  X.  (3) 


Since  each  of  the  rules  used  in  the  above  derivation 
clearly  has  an  intuitionistic  flavor,  it  follows  that  (I  ->)  has 
as  well. 


Lemma  4.4  The  rule 


(iter) 


'■P 

<p,p+  h  p 


is  admissible. 

Proof.  Taking  q  in  (1+)  to  be  1,  by  (cut)  it  suffices  to 
show  1—^iphp.  and  p.  These  fol¬ 

low  without  difficulty  from  (R  ->),  (MP).  (E  1),  and  (W  v). 


Lemma  4.5  The  rules 
(curry) 
(uncurry) 

are  admissible. 


,p-^  q  y<,  AT  p 
r,  pq  — ^  y>,  A  E  ip 
r,  pq  ->  y.',  A\-  p 
r,p  ->  <7  ^  yi,  A  h  p 


Proof  By  (cut),  it  suffices  to  show  pq  — >  t'  E 
p  q  ^  'f  and  p  ^  q  ^  E  pq  yr  For  the  former, 
starting  with  pq  ip  pq  — )•  f),  apply  (MP)  and  (E  EC)  to 
get  pq  — >  VePi9  ^  Ihen  apply  (R— >)  twice.  For  the  lat¬ 
ter,  starting  with  ip  E  0,  apply  (W  p)  twice  to  get  p,  q.  i'  E 
0,  then  apply  (I  ->■)  twice  to  get  p  q  ^  0,  p,  q  E  0.  The 
result  then  follows  from  (I  CE)  and  (R  — >).  I 


Boffa  [2,  3],  based  on  results  of  Krob  [18],  shows  that  for 
the  equational  theory  of  the  regular  sets,  the  right-hand  rule 
(3)  is  unnecessary,  Wc  will  call  an  idempotent  .semiring  sat¬ 
isfying  ( 1 )  and  (2)  a  left-handed  Kleene  algebra.  Boffa’s  re¬ 
sult  says  that  for  regular  expressions  p  and  q.  R{p)  =  R(q) 
iff  p  =  (/  is  a  logical  consequence  of  the  axioms  of  left- 
handed  Kleene  algebra,  where  R  is  the  usual  interpretation 
of  regular  expressions  as  sets  of  strings. 

More  specifically.  Krob  [18]  shows  that  the  elassieal 
equations  of  Conway  [4],  along  with  a  certain  infinite  but 
independently  characterized  set  of  axioms,  logically  entail 
all  identities  of  the  regular  sets  over  P.  The  classical  equa¬ 
tions  of  Conway  arc  the  axioms  of  idempotent  semirings, 
the  equations  ( 1 ).  and  the  equations 

{p  +  <lf  =  (P*<}fp* 

p*  =  p** 

(pq)*  =  l-yp{qp)*q 

P*  =  (P")*il+P)"~\  n>{). 

Boffa  [2.  3]  actually  shows  that  these  equations  plus  the  rule 

p-  =  p  ])*  =  I  +  p  (4) 

— which  the  reader  will  note  is  neither  left-  nor  right- 
handed — imply  all  the  axioms  of  Krob,  therefore  the  classi¬ 
cal  equations  of  Conway  plus  Boffa’s  rule  (4)  are  complete 
for  the  equational  theory  of  the  regular  sets  over  P.  The 
classical  equations  and  Boffa’s  rule  arc  all  easily  shown  to 
be  theorems  of  left-handed  KA. 

Our  first  task  is  to  extend  these  results  to  Kleene  algebra 
with  tests  and  guarded  strings. 


Lemma  4.6  Eveiy  p  is  provably  equivalent  to  some  p  — >■  A 
in  the  sense  that  p  E  p  — >  A  and  p  — >•  A  E  p. 

Proof  The  formula  r/i  ^  q,,  6  is  equivalent 

to  qi  ■  ■  ■  q,J)  ->  A.  The  proof  of  this  fact  is  quite  easy  using 
Lemma  4.5  and  is  left  to  the  reader.  I 


Lemma  4.7  Left-handed  KAT  is  eomplete  for  the  equa¬ 
tional  theory  of  the  regular  sets  of  guarded  strings  over  P 
and  B.  In  other  words,  for  eveiy  pair  of  programs  p,  q  in 
the  language  of  KAT.  GS{p)  =  GS(q)  if  and  only  if  the 
equation  p  =  q  is  a  logical  consequence  of  the  a.xioms  of 
left-handed  KAT. 
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Proof.  We  adapt  an  argument  of  [14],  in  which  the  same 
result  was  proved  for  KAT  with  both  the  left-  and  right-hand 
rule.  It  was  shown  there  that  for  any  program  p,  there  is  an 
equivalent  program  p  such  that 

(i)  p  =  p  isa  theorem  of  KAT,  and 

(ii)  GS{p)  =  R{p),  where  i?(p)  is  the  regular  set  of  strings 
over  the  alphabet  P  U  B  U  {6  |  6  £  B}  denoted  by  p 
under  the  usual  interpretation  of  regular  expressions. 

In  other  words,  any  p  can  be  transformed  by  the  axioms 
of  KAT  to  another  program  p  such  that  the  set  of  guarded 
strings  denoted  by  p  is  the  same  as  the  set  of  strings  denoted 
hyp. 

Now  to  show  completeness  of  KAT  over  guarded  strings, 
[14]  argued  as  follows.  Suppose  GS{p)  =  GS{q).  Then 

Rip)  =  GSip)  =  GSip)  =  GSiq)  =  GSiq)  =  Riq). 

Since  KA  is  complete  for  the  equational  theory  of  the  regu¬ 
lar  sets,  p  =  qisa  theorem  of  KA.  Combining  this  with  (i) 
forp  and  q  implies  that  p  =  qisa  theorem  of  KAT. 

To  adapt  this  to  the  present  situation,  we  observe  that 
p  =  qisa  theorem  of  left-handed  K  A  by  the  results  of  Boffa 
and  Krob.  Thus  in  order  to  complete  the  proof,  we  need 
only  ascertain  that  the  right-hand  rule  (3)  is  not  needed  in 
the  proof  of  p  —  p.  This  does  not  follow  from  Boffa’s  and 
Krob’s  results,  since  the  argument  is  in  KAT,  not  KA.  How¬ 
ever,  a  perusal  of  [14]  reveals  that  the  proof  of  p  =  p  uses 
neither  the  left-  or  the  right-hand  rule,  but  can  be  carried 
out  using  only  the  classical  equations  of  Conway  and  the 
axioms  of  Boolean  algebra.  I 

We  now  describe  the  left-handed  KAT  structure  induced 
by  S.  Define  p  Q  qif  q  ^  ip  p  ip  is  admissible;  that 
is,  if  Q  — >•  h  p  — >  (p  is  provable  for  all  p.  Define  p  =  q 
if  p  C  g  and  g  C  p.  The  relation  C  is  a  preorder,  therefore 
=  is  an  equivalence  relation  and  C  is  a  partial  order  on  =- 
classes.  Reflexivity  is  (ident)  (Lemma  4.2)  and  transitivity 
follows  from  a  single  application  of  (cut). 

Lemma  4.8  The  operators  U  and  (8  are  monotone  with  re¬ 
spect  to  C.  That  is,  ifp  C  g,  then  p  U  r  C  g  LI  r,  pr  C  gr, 
and  rp  C  rq. 

Proof.  The  rules  (El  U),  (E2  U),  and  (I  U)  imply  that 
p  U  g  is  the  C-least  upper  bound  of  p  and  g  modulo  =.  The 
monotonicity  of  L)  follows  by  equational  reasoning: 

pCg  pCgUr  and  rCgUr  =4-pUrCgLlr. 

For  8,  we  must  show  that  if  g  ->  (p  h  p  ->  (p  for  any 
p,  then  qr  p  h  pr  — >  p  and  rq  ->  p  h  rp  p  for 
any  p.  Using  (cut),  (curry),  and  (uncurry)  (Lemma  4.5), 
it  suffices  to  show  that  q  r  p  h  p  r  p  and 


r  q  ^  p  h  r^p— >-p  for  any  p.  The  former,  is  im¬ 
mediate  from  the  assumption,  and  the  latter  follows  from 
(mono)  (Lemma  4.2).  I 

Lemma  4.9  Ifp  C  g  and  qq  C  g,  then  p'^  C  g. 

Proof  Certainly  pg  C  g  by  monotonicity.  Then 

g  — >■  p  F  pg  ->  p 

- \ - (MP) 

g— ^prp^-p  q  p.pq  \-  p 

g^p,pl-p  g->p,p,gFp  ^ 

- 1— -  (1+) 

g-)-p,p+hp  _ 

L  +  (R->) 

g  — >  p  h  p^  — >■  p 


Lemma  4.10  Let  P/=  denote  the  set  of  —equivalence 
classes.  The  operations  U,  0,  and  *  are  well  defined  on 
■p/=,  and  the  quotient  structure  iV/=,  U,  0,  *,  ±,  1)  is 
a  left-handed  KA. 

Proof  We  must  argue  that  all  the  following  properties 
hold; 

p  U  (g  U  r)  =  (p  U  g)  U  r  Pi^f)  =  (pg)r 
pUg  =  gUp  lp  =  pl=p 

p  U  ±  =  p  -Lp  =  P-L  =  -L 

p  U  p  =  p  1  U  pp*  =  p* 

p(g  U  r)  =  pg  U  pr  1  U  p*p  =  p* 

(p  U  g)r  =  pr  U  gr  A?  E  9  =4-  p*g  C  g. 

These  are  just  the  laws  of  left-handed  KA  written  with  the 
symbols  of  S. 

To  derive  the  distributive  law 


p(g  Ur)  C  pg  U  pr, 


first  from  (MP),  (El  U),  and  (E  0),  one  can  derive 
pg  U  pr  — >•  p,  p,  g  h  p  from  pg  U  pr  — )•  p  h  pg  U  pr  — >•  p. 
Similarly,  one  can  derive  pg  U  pr  — p,p,  r  h  p  using 
(E2  U)  instead  of  (El  U).  Then 

pg  U  pr  — >•  p,  p,  g  h  p  pg  U  pr  — ^  p,  p,  r  h  p 
pg  U  pr  ^  p,  p,  g  U  r  h  (p 

- 7 - ^ (I®),(R^-) 

pg  U  pr  — >•  p  h  p(g  U  r)  — >■  p 


All  the  other  axioms  of  idempotent  semirings  follow  in  an 
equally  straightforward  manner.  Since  U  and  0  are  mono¬ 
tone  with  respect  to  C  (Lemma  4.8),  they  are  well  defined 
on  =-classes. 

The  inequality  p+p+  □  p+  follows  from  (CC  +)  by: 


p"*"  — >■  p  h  p+ 


T,P 


+  h 


p,p^,p 


+  h 


(MP) 

(CC+) 


p  F  P+P+  ->  p 


(I®),  (R^-) 
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The  inequality  p  C  follows  from  (E  +)  in  a  similar 
fashion.  Monotonicity  of  +  and  *  then  follow  from  Lemma 
4.9  by  equational  reasoning; 

P  E  9  P  E  9"*^  and  q'^q^  C  q'^ 
p+  E  9”^ 


pE9  p*  =  lLJp"'"LlU(7“'"=9*. 

We  now  prove  the  KA  identities  involving  *.  Arguing 
equationally,  we  have 

p  U  p])^  C  p"*'  U  p'^p'^  C  p"*"  U  p"*"  Q  p^ , 

and  similarly  p  U  p+p  C  p+.  For  the  opposite  inequalities 
we  will  use  Lemma  4.9.  Clearly  we  have  p  E  P  C  PP^ ■ 
We  also  have  pp  C  pp'*",  ppp"*"  C  pp"*",  pp^p  E  PP^  and 
pp+pp"*"  C  PP+,  hence 

(p  U  pp"** )  (p  U  pp"*" )  C  pp"*"  C  p  LI  pp"^ . 


By  Lemma  4.9,  p+  CpUpp+.  Since  the  opposite  inequal¬ 
ity  was  already  established,  we  have  p+  =  p  U  pp+. 

Now  we  can  show  that  1  U  pp*  =  p*: 

p*  =  lUp’^  =  1  U  p  U  pp'*'  =  1  U  p(l  U  p"*") 

=  1  U  pp* . 

The  identities  p"^  =  p  U  p+p  and  1  U  p*p  =  p*  arc  ob¬ 
tained  in  a  similar  fashion. 

It  remains  to  show  P9  E  9  P*Q  E  9-  This  is  estab¬ 
lished  by  the  following  derivation: 


q  if  \-  q  ^  if 
q  ip,\  'r  q  if 


(VV  v) 


q  ^  if  pq  If 

q  q^,pq  ^  ^ 

q  f,p,q}-  f 
9  'p,p  ‘P 

9  ‘f,P'^  q  f 


(MP» 

(Kg'.) 

(R  ->) 
(ilir) 


f/  — >■  <p,  1  U  p"^  h  5  — >  <p 
7  ->  h  (1  U  p+)7  — ^  f 


(I  U) 


(MP).(IK).(R^) 


Lemma  4.11  Ifb^c  is  a  classical  tautology,  then  b  C  c. 
Thus  the  tests  form  a  Boolean  algebra  modulo  =. 

Proof.  We  have  c  — >■  p,  6  h  c  by  the  axiom  b  h  c  and  the 
weakening  rule  (W  0),  and  we  have  c  ^  f,c\-  f  by  (MP). 
The  desired  conclusion  c  — >  cp  h  b  — >  ip  then  follows  from 
(cut)  and  (R  — >).  ■ 

Combining  Lemmas  4.10  and  4.1 1  and  the  fact  that  the 
regular  sets  of  guarded  strings  form  the  free  KAT  on  gener¬ 
ators  P  and  B,  we  have 

Lemma  4.12  The  .structure  (V/=,  B/  =  ,  U,  C),  *,  ”,  T,  1) 
is  a  left-handed  KAT  and  is  isomorphic  to  the  algebra  of 
regular  sets  of  guarded  strings  over  P  and  B.  Thus  for  any 
programs  p  and  9,  p  E  9  iff  GS  (p)  C  GS{q)  and  p  =  q  iff 
GS{p)  =  GS{q). 


5  Soundness 

Theorem  5.1  IfT  h  f  is  provable,  then  it  is  valid  in  all 
trace  and  relational  models. 

Proof.  We  need  only  show  soundness  over  trace  models. 
This  is  easily  e.stablished  by  induction  on  proofs  in  S  with 
one  case  for  each  proof  rule.  We  argue  the  cases  (cut)  and 
(I  — >)  explicitly. 

For  (cut),  we  need  to  show  that 

[[r,A]];^  c  [[r,A,p]]/^ 

under  the  assumptions 

c  [[r,t/;]]A- 

\lT,xP, AJiK  C  [[r,VhA,(p]]/c. 

Using  monotonicity  of  o, 

IT,A]]k 

=  [[FDk  o  CA]]/,- 

E  [[r,V;]]A- o  [[A]];^ 

=  [[r,VLA]]A- 

C  [[r,0;,A,(p]]A 

=  [[T]]/,- o  [[0]]a- O  [[A,(p]]A- 

C  [[FIa-o  [[IIa-o  [[A,(p]]K 

=  [[TJIa  o  [[A.pDa- 

=  [[T,A,f]]ic. 


For  (I  we  want  to  show  that  if 

[[r,p,0;,  AIa-  C  last”’(  [[pj]]A-), 


then 


lir,p ->  j^^p,  A]]a-  C  last  *([[<p]]/c). 


It  suffices  to  show  that 


[IP^  '<,^']]a-o  [IpllA-  E  [[plA'  °  [[V-’I/C- 


But 


re  [[p  V']]a'  o  EpIa' 

O  first(r)  €  [[p  ->  011  A'  and  £  EpIa 
=k  re  [[p]]A'  andlast(T)  G  [[0]]a' 

<=>  re  [[p]]A'  o  E0]]a- 

The  other  cases  arc  equally  straightforward.  I 
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6  Completeness 

Theorem  6.1  IfVV-i^,  then  there  exist  an  acyclic  trace 
model  K  and  a  trace  a  e  [[r]];^  such  that  last((T)  ^ 

Proof  By  Lemma  4.6,  we  can  assume  without  loss  of 
generality  that  (p  is  of  the  form  p  _L.  The  proof  pro¬ 
ceeds  by  induction  on  the  length  of  F.  For  the  basis  of 
the  induction,  suppose  F  is  empty,  so  that  F  p  ->  ±. 
Thenp  ^  ±.  By  Lemma  4.12,  GS{p)  Qi.  Construct  a 
Kripke  frame  K  consisting  of  a  single  acyclic  trace  a  such 
that  gs((T)  £  GS{p).  By  Lemma  3.2,  O'  G  [[pl/f.  Then 
first(cr)  G  [[e]]^:  andfirst(cr)  ^  [[p  ±]]a-. 

For  the  induction  step  in  which  the  environment  ends 
with  a  program,  say  F,  p  F  p,  we  have  F  F  p  ->  ip  by  (MP). 
Applying  the  induction  hypothesis,  there  exist  an  acyclic 
trace  model  K  and  traces  a  and  r  such  that  a  E  [[Fix. 
last((T)  =  first(T),  T  G  [[plx.  and  last(r)  ^  [[<pl/v'. 
Then  err  G  [[F,plx  and  last(crT)  ^  [[<<5lx. 

Finally,  we  argue  the  induction  step  in  which  the  environ¬ 
ment  ends  with  a  formula,  say  F,  t/j  F  p.  By  Lemma  4.6,  we 
can  rewrite  this  as  F,  g  ->  1  F  p  1.  Let  w  be  an  expres¬ 
sion  representing  the  set  of  all  guarded  strings  (see  Lemma 
3.1).  Let  r  and  s  be  programs  such  that  GS{r)  =  GS{p)  Fl 
GS{qu))  and  GS{s)  =  GS{p)  —  GS{qw).  These  pro¬ 
grams  exist  by  Lemma  3.1,  and  GS{p)  —  GS{r  U  s).  By 
Lemma 4. 12,  we  can  replace p  by  r  U  s  to  get  F,g  — >  ±  F 
r  U  s  — ^  X.  By  (R  — >),  F,  g  ±,  r  U  s  F  X,  and  by  (I  U), 
either  F,  5  ->  X,  r  F  X  or  F,  g  X,  s  F  X.  But  it  can¬ 
not  be  the  former,  since  T,q  l,q,w  h  X,  therefore 
F,  g  ->  X  h  gii)  — >•  X,  and  by  Lemma  4.12,  r  C  qiu,  there¬ 
fore  by  (cut),  F,  g  ^  X  h  r  X. 

Thus  it  must  be  the  case  that  F,g  ->  X,.s  F  X,  so 
F,  g  — >■  X  F  s  — >  X.  By  weakening  we  have  F  F  s  — )■  X. 
Then  by  the  induction  hypothesis,  there  exist  an  acyclic 
trace  model  K  and  traces  cr  G  [[Fix  and  r  G  [[six- 
such  that  last(a-)  =  first(T).  Construct  a  trace  model  M 
consisting  only  of  the  acyclic  trace  ar.  By  Lemma  3.2, 
T  ^  [[gw-’lM.  therefore  no  prefix  of  r  is  in  [[glA/-  Then 
last(cr)  G  [[g XI A/,  therefore  a  G  [[F,g -)•  XIa,/. 
Moreover,  last(a)  ^  [[p  — >■  XIa/,  since  last(cr)  =  first(T) 
and  r  £  [[pi a/-  ■ 

7  Conclusions  and  Future  Work 

It  has  recently  been  shown  that  deciding  whether  a  given 
sequent  is  valid  is  F^PACF-complete  [12].  Several  interest¬ 
ing  questions  present  themselves  for  further  investigation. 

1 .  The  completeness  proof  relies  on  the  results  of  Boffa 
[2,  3],  which  are  based  in  turn  on  the  results  of  Krob 
[18].  Krob’s  proof  is  fairly  involved,  comprising  an 


entire  journal  issue.  One  would  like  to  have  a  proof  of 
completeness  based  on  first  principles. 

2.  The  relative  expressive  and  deductive  power  of  S  com¬ 
pared  with  similar  systems  such  as  KAT,  PDL,  and 
PHL  is  not  completely  understood.  S  is  at  least  as 
expressive  as  PHL  and  the  equational  theory  of  KAT, 
and  apparently  more  so,  since  it  is  not  clear  how  to  ex¬ 
press  general  sequents  <pi,pi,(p2,  ■  •  ■  ,p„_i,<p„  F  tp 
in  PHL  or  KAT.  On  the  other  hand,  it  is  not  clear 
how  to  express  general  Horn  formulas  of  KA  such  as 
px  =  xq  p*x  =  xq*  in  S. 

3.  Application  of  the  linear  implication  operator  is 
limited  to  programs  on  the  left-hand  side  and  formu¬ 
las  on  the  right-hand  side.  It  would  be  interesting  to 
see  whether  more  general  forms  correspond  to  any¬ 
thing  useful  and  whether  the  system  can  be  extended 
to  handle  them.  The  operator  — >  is  a  form  of  residu- 
ation  (see  [19,  10]),  and  this  connection  bears  further 
investigation. 

4.  We  would  like  to  extend  S  to  handle  liveness  proper¬ 
ties  and  total  correctness. 

5.  We  would  like  to  undertake  a  deeper  investigation  into 
the  structure  of  proofs  with  an  eye  toward  establishing 
normal  form  and  cut  elimination  theorems. 
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Abstract 

We  investigate  the  computational  power  of  several 
models  of  dynamical  systems  under  infinitesimal  perturba¬ 
tions  of  their  dynamics.  We  consider  in  our  study  mod¬ 
els  for  discrete  and  continuous  time  dynamical  systems: 
Turing  machines,  Piecewise  affine  maps,  Linear  hybrid  au¬ 
tomata  and  Piecewise  constant  derivative  systems  (a  sim¬ 
ple  model  of  hybrid  systems).  We  associate  with  each  of 
these  models  a  notion  of  perturbed  dynamics  by  a  small 
£  (w.r.t.  to  a  suitable  metrics),  and  define  the  perturbed 
reachability  relation  as  the  intersection  of  all  reachability 
relations  obtained  by  e-perturbations,  for  all  possible  val¬ 
ues  ofe.  We  show  that  for  the  four  kinds  of  models  we  con¬ 
sider,  the  perturbed  reachability  relation  is  co-recursively 
enumerable,  and  that  any  co-re.  relation  can  be  defined 
as  the  perturbed  reachability  relation  of  such  models.  A 
corollary  of  this  result  is  that  systems  that  are  robust,  i.e., 
their  reachability  relation  is  stable  under  infinitesimal  per¬ 
turbation,  are  decidable. 

1  Introduction 

Recently,  the  investigation  of  the  relations  between  dy¬ 
namics  and  computation  attracted  attention  of  several  re¬ 
search  communities  (see  e.g.  [1]  where  Turing  machines 
are  considered  as  dynamical  systems,  and  [2]  and  [3]  where 
discrete  and  continuous  time  dynamical  systems  are  con¬ 
sidered  as  computation  models). 

Our  initial  motivation  for  this  research  was  related  to 
hybrid  systems  (see  e.g.  [4]).  Since  the  first  undecidability 
results  were  stated  for  hybrid  systems  (such  as  Linear  hy¬ 
brid  automata  [5]  or  Piecewise  constant  derivative  systems 
[3]),  a  folklore  conjecture  appeared,  saying  that  this  unde¬ 
cidability  is  due  to  non-stability,  non-robustness,  sensitiv¬ 
ity  to  initial  values  of  the  systems,  and  that  it  never  occurs 
in  “real”  systems.  There  were  several  attempts  to  formalize 
and  to  prove  (or  to  disprove)  this  conjecture  [6,  7]  (cf.  Re¬ 
lated  Work  below).  We  think  however  that  this  conjecture 
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is  more  rich  than  these  formalizations  and  that  exploring 
relations  between  complexity  of  behaviours  of  a  dynamical 
system  (not  necessarily  hybrid)  and  its  properties  related  to 
stability,  robustness,  chaos  is  an  important  scientific  chal¬ 
lenge  (see  [8]). 

In  this  paper  we  explore  one  facet  of  this  problem:  how 
small  perturbations  of  dynamics  influence  the  computa¬ 
tional  power  of  the  system.  We  consider  different  kinds 
of  transition  systems  corresponding  to  widely  used  mod¬ 
els  of  dynamical  systems:  Turing  machines  (TM),  Piece- 
wise  affine  maps  (PAM),  Linear  hybrid  automata  (LHA), 
and  Piecewi.se  constant  derivative  (PCD)  systems.  We  in¬ 
troduce  for  these  models  a  notion  of  “perturbed”  dynam¬ 
ics  and  study  the  computational  power  of  the  correspond¬ 
ing  perturbed  systems.  Perturbations  are  defined  for  each 
model  using  a  notion  of  metrics  on  the  state  space  (allow¬ 
ing  to  define  how  distant  is  the  ideal  dynamics  from  the 
perturbed  one).  The  notion  of  small  perturbation  is  easier 
to  understand  for  computational  models  with  a  continuous 
state-space  (such  that  PCD,  LHA,  and  PAM)  than  for  dis¬ 
crete  ones  like  TM,  For  such  models,  given  a  transition  sys¬ 
tem  with  a  reachability  relation  R,  the  idea  is  to  perturb  the 
dynamics  by  a  small  e,  and  then,  to  take  (as  the  perturbed 
dynamics  of  the  system)  the  limit  (intersection)  of  the 
perturbed  reachability  relations  as  this  e  tends  to  0.  We  say 
that  a  system  is  robust  if  its  reachability  relation  does  not 
change  under  small  perturbations  of  the  dynamics,  i.e.,  R 
is  equal  to  R^ . 

We  show  that  for  the  three  models  of  PAM,  LHA,  and 
PCD,  the  relation  R^j  belongs  to  the  class  11°  (i.e.  it  is 
co-recursively  enumerable),  and  moreover,  any  11°  relation 
can  be  reduced  to  a  relation  R^  of  a  perturbed  system.  In 
other  words,  any  complement  to  a  r.e.  set  can  be  semi- 
decided  by  an  infinitesimally  perturbed  system.  This  result 
is  somehow  surprising  since  it  means  that  noise  by  itself 
does  not  make  the  reachability  problem  decidable,  but  it 
transforms  it  in  a  rather  non-trivial  way  (from  Sj  to  11°). 
Furthermore,  an  immediate  corollary  of  the  result  above  is 
the  following  fact:  the  reachability  problem  is  decidable 
for  the  class  of  robust  systems. 
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In  the  case  of  Turing  machines,  the  analogous  notion 
of  small  perturbation  is  obtained  by  considering  tbe  pre¬ 
fix  distance  (Cantor  distance)  as  metrics  on  the  set  of  tape 
configurations.  In  fact,  this  metrics  is  an  adequate  charac¬ 
teristics  for  these  machines;  in  particular,  the  dynamics  of 
these  machines  has  good  properties  w.r.t.  this  metrics,  e.g., 
the  transition  function  of  a  TM  is  always  Lipshitz  w.r.t. 
it  (see  [1]  for  a  detailed  argument).  So,  we  consider  that 
a  TM  is  subjected  to  a  small  noise  if  its  configuration  is 
slightly  perturbed  in  the  sense  of  this  metrics,  or  equiva¬ 
lently,  all  the  perturbations  of  the  tape  content  happen  far 
from  the  head.  Similarly  to  the  other  models,  given  a  TM 
recognizing  a  language  L,  for  every  natural  number  n,  wc 
define  Ln  to  be  the  set  of  all  words  that  arc  accepted  if  we 
allow  perturbations  (arbitrary  changes  in  the  tape)  beyond 
a  distance  n  from  the  head,  and  we  take  to  be  the  in¬ 
tersection  of  all  the  languages  Ln-  It  can  be  understood 
intuitively  that  the  notion  of  robustness  of  a  TM  according 
to  this  notion  of  perturbation  actually  coincides  with  the 
notion  of  boundedness  since  only  machines  that  can  visit 
arbitrarily  far  positions  from  their  initial  position  can  have 
a  different  perturbed  language.  Wc  prove  that  for  TM  also 
the  same  results  as  for  the  other  models  hold:  the  language 
is  in  Dp  and  every  IIj  language  can  be  represented 
as  a  perturbed  language  of  a  TM,  which  means  that  robust 
TM’s  correspond  precisely  to  machines  recognizing  recur¬ 
sive  languages. 

Wc  give  in  the  paper  the  proofs  for  the  models  men¬ 
tioned  above  in  an  increasing  technical  complexity  order. 
The  TM  case  unveils  the  mechanism  of  the  effect  of  pertur¬ 
bation  and  allows  to  understand  the  essence  of  this  mecha¬ 
nism  on  a  common  and  relatively  simple  model.  The  PAM 
case  makes  it  clear  how  this  mechanism  works  in  the  con¬ 
tinuous  state  space,  without  unneeded  technical  complex¬ 
ity.  Essentially  the  same  techniques  used  for  PAM  can  also 
be  applied  to  the  more  popular  model  of  LHA  (wc  omit  in 
this  extended  abstract  the  proofs  concerning  LHA).  More¬ 
over,  the  proof  for  PAM  is  a  good  introduction  to  the  trick¬ 
ier  one  for  PCD,  which  is  a  simple  and  natural  model  for 
hybrid  systems,  and  perhaps  the  most  motivating  case. 

Related  work.  Recently,  a  similar  approach  to  ours  was 
independently  invented  and  applied  in  a  completely  differ¬ 
ent  context  to  the  analysis  of  numerical  methods  for  chaotic 
dynamical  systems  by  Klocdcn  and  Kozyakin.  In  [9],  they 
refer  to  the  procedure  of  infinitesimal  perturbation  of  dy¬ 
namical  systems  as  inflation. 

The  notion  of  perturbation  wc  use  (especially  in  the 
case  of  continuous  state  space  systems)  was  inspired  by 
the  work  of  Anuj  Puri  who  studied  the  reachability  rela¬ 
tion  of  timed  automata  (with  finitely  many  control  states) 
under  infinitesimal  perturbation  [10].  He  showed  that  for 


these  models,  the  perturbed  reachability  relation  is  still  de¬ 
cidable  and  he  gives  an  effective  representation  of  this  rela¬ 
tion.  Our  work  concerns  models  that  are  more  general  than 
timed  automata,  and  aims  to  show  that  infinitesimal  per¬ 
turbation  has  the  same  effect  on  several  eommon  models 
of  dynamical  systems,  namely  that  the  perturbed  dynamics 
corresponds  in  all  cases  to  a  co-recursively  enumerable  re¬ 
lation  (set),  and  that  robustness  coincides  with  decidability. 

Concerning  the  decidability  issue  of  the  reachability 
problem,  there  are  two  works  closely  related  to  ours  [6,  7]: 
Martin  Franzle  has  shown  in  [6]  a  similar  result  to  ours  for 
a  certain  model  of  hybrid  systems.  Our  work  shows  that  the 
fact  that  “robustness  implies  decidability”  can  be  proved 
for  other  different  types  of  transitions  systems.  Moreover, 
our  hardness  results  (inverse  implication)  show  that  the  re¬ 
lation  between  robustness  and  decidability  is  really  tight. 
Our  result  is  in  contrast  with  Thomas  Henzinger’s  result 
[7]  stating  that  reachability  is  still  undccidable  for  hybrid 
systems  that  allow  small  perturbations  of  the  trajectory.  It 
is  interesting  to  sec  that  a  small  semantical  difference  be¬ 
tween  these  two  approaches  drastically  changes  the  com¬ 
plexity. 

Finally,  the  effect  of  noise  on  the  power  of  analog  com¬ 
putational  models  and  the  dependence  of  this  power  from 
the  level  of  this  noise  arc  explored  in  [11,  12,  13],  Dif¬ 
ferently,  we  consider  in  our  work  the  limit  behavior  with 
noise  level  lending  to  zero. 

Outline.  The  rest  of  the  paper  is  organized  as  follows: 
in  section  2  wc  define  the  computation  models  (kinds  of 
dynamical  systems)  we  consider:  TM,  PAM,  and  PCD,  and 
their  perturbed  versions.  In  sections  3-5  wc  formulate  and 
prove  the  main  results  for  these  models.  For  lack  of  space, 
wc  omit  here  the  case  of  LHA  since  the  proofs  concerning 
these  models  arc  technically  very  similar  to  those  for  PAM. 

Acknowledgments.  Wc  would  like  to  thank  Vincent 
Blondel,  Victor  Kozyakin,  Oded  Malcr  and  Anuj  Puri  for 
useful  discussion. 

2  Perturbed  Models 

2.1  Perturbed  Turing  machines  (PTMs) 

Let  us  recall  the  definition  of  a  Turing  machine  (TM  for 
short)  (sec  figure  1(a)). 

Let  E  be  a  finite  alphabet,  and  let  i?  be  a  special  symbol 
B  ^  H.  A  TM  over  E  is  a  tuple  {Q,  qinii,F,  T)  where  Q  is 
a  finite  set  of  control  states,  qi„ii  E  Q  is  the  initial  control 
state,  F  C  Q  is  a  set  of  accepting  states,  and  T  is  a  set  of 
transitions  of  the  form  {q,  a)  — >  {q' ,  b,  i5)  where  q,  q'  G  Q, 
a, be  EU  {Z?},and(5  e  {-1,0,1}. 

A  configuration  of  the  machine  is  an  un¬ 
bounded  sequence  (from  left  and  right)  of  the  form 
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Figure  1:  (a)  A  Turing  machine,  (b)  Its  n-perturbed  ver¬ 
sion. 


•  •  •  a_2a-i[g,  ao]aia2  •  •  •  where  the  a^s  are  symbols  in 
SU  {B}.  Intuitively,  [9,00]  means  that  the  current  control 
state  of  is  q  and  that  the  head  of  the  machine  is  at  symbol 
do- 

Given  a  transition  {q,a)  — >  {q',b,6)  in  F,  if  the  sym¬ 
bol  pointed  by  the  head  of  the  machine  is  equal  to  a,  then 
the  machine  can  change  its  configuration  in  the  following 
manner:  the  symbol  pointed  by  the  head  is  replaced  by  b 
and  then  the  head  is  moved  to  the  left  or  to  the  right,  or  it 
stays  at  the  same  position  according  to  whether  6  is  —1, 1, 
or  0,  respectively. 

Let  w  =  Qi,  ■  •  ■ ,  be  a  word  in  E*.  We  say  that 
w  is  accepted  by  M  if,  starting  from  the  configuration 

•  •  •  BBB[qi„if,  ai]  ■  ■  •  CnBBB  ■  ■  ■  the  machine  M  even¬ 
tually  stops  in  an  accepting  state.  Let  L{M)  denote  the  set 
of  such  words,  i.e.,  the  recursively  enumerable  (r.e.)  lan¬ 
guage  semi-recognized  by  M. 

Now,  let  us  introduce  the  concept  of  perturbed  Turing 
machines  (PTMs  for  short).  Given  an  integer  n  >  0,  the 
n-perturbed  version  of  the  machine  M  is  defined  exactly 
as  M  except  that  before  any  transition  all  the  symbols  at 
the  distance  n  or  more  from  the  head  of  the  machine  can  be 
altered  (i.e.,  replaced  by  other  symbols)  arbitrarily:  Given 
a  configuration 

■  ^  —  n  —  —  —  n-(-l  '  *  '  d  —  i[q^  Go]^l  ’  '  *  ^n  — 

the  n-perturbed  version  of  M.  may  replace  any  symbols 
to  the  left  of  a_„  (starting  from  a_„_i)  and  to  the  right 
of  a„  (starting  from  a„+i)  by  any  other  symbols  in  E  U 
{B}  before  executing  a  transition  of  M  (at  Oq).  Hence, 
the  machine  becomes  a  nondeterministic  transition  system 
(see  figure  1(b)). 

A  word  w  is  accepted  by  the  n-perturbed  version  of  Ai 
if  there  exists  a  run  of  this  machine  which  stops  in  an  ac¬ 
cepting  state.  Let  L„(A1)  be  the  n-perturbed  language  of 
Ai,  i.e.,  the  set  of  words  in  E*  that  are  accepted  by  the 
n-perturbed  version  of  Ai. 

It  is  easy  to  see  that  if  a  word  is  accepted  by  Ai,  then 
it  can  also  be  recognized  by  all  the  n-perturbed  versions 
of  Ai,  for  every  n  >  0  (perturbed  machines  have  more 
behaviors).  Moreover,  if  the  (n  +  l)-perturbed  version  ac¬ 


cepts  a  word  w,  the  n-perturbed  version  will  also  accept  it 
since  obviously  all  alterations  at  distance  greater  than  n  -f- 1 
from  the  head  can  also  happen  in  the  n-perturbed  machine. 
Hence,  we  have: 

Lemma  1  LiiAi)  D  L2(M)  D---D  L{Ai) 

This  technically  justifies  the  following  crucial  definition 
(explained  in  the  introduction):  u-perturbed  language  of 
the  machine  Ai  is  given  by 

L^{A4)  =  {^Ln{Ai) 

n 

Informally  speaking,  Lu[Ai)  consists  of  all  the  words  that 
can  be  accepted  by  Ai  when  it  is  subject  to  arbitrarily 
“small”  perturbations.  The  previous  lemma  could  be  triv¬ 
ially  extended  to: 

Lemma  2  Li  {Ai)  D  L2{Ai)  'A  ■■■  D  L^iAi)  A  L{Ai) 

2.2  Piecewise  affine  maps 

The  second  kind  of  systems  to  which  we  apply  small 
perturbations  was  introduced  as  a  computation  model  in 
[2].  Recall  some  definitions  and  results  from  that  paper. 

Definition  1  (PAM  System)  A  Piecewise  affine  map  sys¬ 
tem  (PAM)  is  a  discrete-time  dynamical  system  V  defined 
by  an  assignment  x  :=  f{\)  on  a  bounded  polyhedral  set 
X  C  where  f  is  a  (possibly  partial)  function  from  X 
to  X  represented  by  a  formula: 

/(x)  =  AjX -t- bi /or  X  e  Bj,  i  =  1..N 

where  .4,  are  rational  d  x  d-matrices,  6  Q'^  and  Pi  are 
rational  polyhedral  sets  in  X. 

A  trajector}'  of  B  is  a  sequence  x„  evolving  according  to 
/,  i.e.  such  that  Xn+i  =  /(x^)  for  all  n. 

In  other  words,  a  PAM  system  consists  of  partitioning 
the  space  into  convex  polyhedral  sets  (“regions”),  and  as¬ 
signing  an  affine  update  rule  x  :=  AjX-l-bi  to  all  the  points 
sharing  the  same  region  (see  figure  2  (a)). 


Figure  2:  (a)  A  2-dimensional  PAM  system  with  2  regions, 
(b)  Its  e-perturbed  version. 
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It  is  important  to  emphasize  that  since  we  assume  that 
all  constants  in  the  system’s  definition  are  rational,  the  ex¬ 
pressive  power  of  PAM  is  not  achieved  using  the  introduc¬ 
tion  of  some  non-computable  real  numbers. 

To  each  PAM  V  we  associate  its  reachability  relation 
R^{-,  ■)  onQ^.  Namely,  for  two  rational  points  x  and  y 
the  relation  R^{x,y)  holds  iff  there  exists  a  trajectory  of 
V  from  X  to  y. 

The  following  result  on  the  computational  power  of 
PAMs  was  proved  in  [14,  2] 

Theorem  1  (Simulation  of  TM  by  PAM)  Let  M  he  a 

TM.  We  can  effectively  construct  a  PAM  V  and  an  encod¬ 
ing  e  ;  S*  — r  such  that  for  any  word  w  the  following 
equivalence  holds,  w  £  L(M)  iff  R7‘ {e{  w),  O),  where  O 
denotes  the  origin  in  ]R'\ 

The  following  characterization  of  the  complexity  of  the 
reachability  relation  is  now  immediate: 

Corollary  1  (Computational  power  of  PAM) 

•  For  any  PAM  'P  its  reachability  relation  is  re. 

•  Any  re.  set  S  is  1-reducible  (see  / /5/j  to  the  reacha¬ 
bility  relation  of  a  PAM. 

2.3  Perturbed  PAMs  (PPAMs) 

Now  we  can  apply  the  paradigm  of  small  perturbations 
to  PAMs.  Consider  a  PAM  P  described  by  the  assignment 
X  :=  /(.r).  For  any  f  >  0  we  consider  the  5-perlurbed 
system  P.  (sec  figure  2  (b)).  Its  trajectories  are  defined  as 
.scc]uenec.sx„  satisfying  the  inequality  ||x„+|  — /(x„)||  <  e 
for  all  11.  This  non-dctcrministic  system  can  be  considered 
as  P  submitted  to  a  small  noise  with  magnitude  £.  We 
denote  reachability  in  the  system  'P.-  by  (•,•).  All  tra¬ 
jectories  of  a  non-perturbed  system  P  arc  also  trajectories 
of  the  e-perturbed  system  P..  If  ci  <  £■>  then  any  trajec¬ 
tory  of  the  El -perturbed  system  is  also  a  trajectory  of  the 
£2-pcrturbcd  PAM. 

Like  for  TM  we  can  pass  to  a  limit  for  e  ->  0.  Natncly 
R^{\,y)  iffVe  >  0  7?f(x,y).  This  means  reachability 

with  arbitrarily  small  perturbing  noise. 

The  following  analog  of  Lemmata  1  and  2  is  now  im¬ 
mediate: 

Lemma  3  For  any  e-?  >  £i  >0  and  rational  points 
X  and  y  the  following  implications  hold:  R(^{\.y)  ^ 
^r(x,y)  ^  RT,{\,y)  ^  P?,(x,y) 

2.4  Piecewise  Constant  Derivative  Hybrid  Sys¬ 
tems  (PCDs) 

The  last  kind  of  systems  to  which  we  apply  small  per¬ 
turbations  was  introduced  in  [3]  in  the  context  of  hybrid 
systems.  Recall  some  definitions  and  results. 


Figure  3:  (a)  A  2-dimcn.sional  PCD  system  with  4  regions 
and  a  trajectory  from  x  to  y.  (h)  The  ^-perturbed  version  of 
this  PCD. 

Definition  2  (PCD  System)  A  piecewise-constant  deriva¬ 
tive  (PCD)  system  is  a  continuous-time  dynamical  sys¬ 
tem  FL  defined  by  a  differential  equation  x  =  /(x)  on  a 
hounded  polyhedral  set  X  C  IR'^  (the  state-space),  where 
f  is  a  (possibly  partial)  function  from  X  to  Ff'  represented 
by  a  formula: 

/(x)  =  Ciforx  G  Pi.  i  =  1..A' 

where  c,  G  Q''  and  P,  are  rational  polyhedral  sets  in  X. 

A  trajectory  of  H  starting  at  some  Xq  G  A'  is  a  solution 
of  the  differential  ecpiation  with  initial  condition  x  =  Xo, 
defined  as  a  continuous  function  :  IR'^^  — >  A'  such  that 
^(0)  =  Xo  and  for  every  i.  f{i,{t))  is  defined  and  is  equal 
to  the  right  derivative  of  i^(/). 

In  other  words,  a  PCD  system  consists  of  partitioning 
the  space  into  convex  polyhedral  sets  ("regions"),  and  as¬ 
signing  a  constant  derivative  c  ("slope”)  to  all  the  points 
sharing  the  same  region  (see  figure  3  (a)).  The  trajectories 
of  such  systems  are  broken  lines,  with  the  breakpoints  oc¬ 
curring  on  the  boundaries  of  the  regions.  In  order  to  rule 
out  some  pathologies  wc  consider  only  PCDs  H  which  sat¬ 
isfy  an  additional  assumption  of  being  strongly  non-zeno 
i.c.  the  time  interval  between  two  consecutive  visits  of  the 
same  region  should  be  bounded  from  below  by  a  positive 
constant  A. 

To  each  PCD  we  associate  its  reachability  relation 
R^(-,-)  on  (?'^  Namely,  for  two  rational  points  x  and  y 
the  relation  R^{x.y)  holds  iff  there  exists  a  trajectory  of 
R  from  X  to  y. 

The  following  result  on  the  computational  power  of 
PCDs  was  proved  in  [3] 

Theorem  2  (Simulation  of  TM  by  PCD)  Let  M  be  a 

TM.  We  can  effectively  construct  a  PCD  R  and  an  encod¬ 
ing  e  :  S*  Q''  such  that  for  any  word  w  the  following 
equivalence  holds,  w  G  L{M.)  iff  R^{vfw),0),  where  O 
denotes  the  origin. 
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Corollary  2  (Computational  power  of  (strongly  non- 
zeno)  PCD) 

•  For  any  PCD  FL  its  reachability  relation  is  r.e. 

•  Any  r.e.  set  S  is  1-reducible  (see  [15])  to  the  reacha¬ 
bility’  relation  of  a  PCD. 

2.5  Perturbed  PCDs  (PPCDs) 

Consider  a  PCD  7{  described  by  an  ODE  x  =  f(x). 

For  any  e  >  0  the  e-perturbed  system  "Hs  is  described 
by  the  differential  inclusion  ||x  —  /(x)||  <  e.  This  non- 
deterministic  system  can  be  considered  as  FI  submitted  to 
a  small  noise  with  magnitude  e  (see  figure  3  (b)).  We  de¬ 
note  reachability  in  the  system  Fi^  by  R^(-,  ■).  The  limit 
reachability  relation  Rlj-{x,y)  is  introduced  and  an  analog 
of  Lemma  3  is  stated  exactly  as  for  PAMs. 

3  Results  on  PTMs 

Our  first  result  is  that  the  w-perturbed  language  of  a  TM 
is  the  complement  of  a  recursively  enumerable  language. 

Theorem  3  (Perturbed  reachability  is  co-r.e.)  L^iM) 
is  in  the  class  11°. 

Proof:  First,  we  show  that  for  every  n  €  N,  L„(M)  is  a 
regular  language; 

Let  us  associate  with  the  n-perturbed  version  of  A4  a 
finite-state  machine  Am  defined  as  follows;  (1)  Each  of 
its  configurations  is  composed  of  a  control  state  of  M  and 
a  finite  sequence  of  length  2n  -I- 1  corresponding  to  the  part 
of  the  configuration  in  the  radius  n  from  the  head.  There 
are  |Q|  x  |S  -f  l|2"+i  such  configurations.  (2)  The  transi¬ 
tion  relation  is  constructed  by  simulating  the  transitions 
of  M  and  considering  that,  when  the  head  is  moved  to  the 
left  (resp.  to  the  right),  a  symbol  in  E  U  {i?}  is  nondeter- 
ministically  chosen  and  appended  to  the  left  (resp.  right)  of 
the  configuration  and  the  right-most  (resp.  left-most)  one 
is  lost  (it  belongs  now  to  the  perturbed  area  of  the  configu¬ 
ration  and  hence  it  can  be  replaced  by  any  other  symbol). 

To  formulate  the  link  between  the  computations  of  Am 
and  those  of  the  n-perturbed  version  of  M.  we  need  some 
definitions  and  notations;  Let  Accept  =  (E  U  S)"  x  [F  x 
(E  U  B)]  X  (S  U  B)".  Given  a  configuration  of  M. 

C  —  •  •  ■  a_n— ifl— ntt  — n-|-l  '  ‘  '  1  [9,  Uolttl  '  •  '  Q-n—l  dn^^n+l  '  '  ' 

we  define  the  sequence 

c\n  —  Cl—nO'  —  n+l  '  '  '  0,-1  [Qj  '  ‘  '  O-n  —  lO'n 

of  length  2n  -f  1. 

Then,  it  is  easy  to  see  that; 

The  n-perturbed  version  of  M.  has  an  accepting 
run  starting  from  a  configuration  c,  if  there  exists 
f  G  Accept  such  that  c|„  A  /  in  Am- 


Hence,  we  can  effectively  construct  L„{M)  as  a  fi¬ 
nite  union  of  computable  regular  languages;  Let  Basis  be 
the  finite  set  of  sequences  oofli  ■  •  •  a„  G  such  that 

R’^lQinU,o,o]ai  ■  ■  ■  a„  A  /  for  some  /  G  Accept.  Let 
Short  be  the  finite  set  of  sequences  uofli  ■  ■  -  o-k  G  El*  with 
k  <  n  such  that  B"[g't„jf,  aojfli  ■  •  •  akB^~’‘  A  /  for  some 
/  G  Accept.  Then,  we  have 

Ln{Ai)  =  Short  U  BasisE* 

Since  Ln(M)  is  regular  and  effectively  constructible, 
the  same  holds  for  its  complement  L„(X).  Hence,  the 
set  Ujj  Lni-M.)  =  L^{M)  is  recursively  enumerable  as  a 
union  of  a  computable  sequence  of  regular  languages.  □ 

A  consequence  of  the  theorem  above  is  that  robust  lan¬ 
guages  (i.e.  L^(M.)  =  L{M-))  are  necessarily  recursive 
(since  they  must  be  in  Sj  H  Hj); 

Corollary  3  (Robust  decidable)  If  L^^{M)  —  L{M) 
then  L{M)  is  recursive. 

The  converse  holds  if  we  add  another  requirement  on  M: 

Proposition  1  (Decidable  =?>  robust)  If  M  always  stops 
(and hence  L{M)  is  recursive)  then  =  L{M) 

Now,  we  show  that  in  general,  cc-perturbed  languages  are 
not  recursively  enumerable.  In  fact,  the  following  result 
says  that  some  of  them  are  complete  among  n°  languages. 

Theorem  4  (Perturbed  reachability  is  complete  in  11°) 
For  every  TM  M,  we  can  effectively  construct  another  TM 
M'  such  that  Lu{M')  =  L{M). 

Proof:  Let  M  =  {Q,qinU,  F,T)  be  a  TM  over  E.  Sup¬ 
pose  w.l.o.g.  that  the  machine  A4  is  such  that,  for  every 
input  w  ^  L{M),  M  never  stops  and  uses  an  unbounded 
working  space  (the  head  goes  arbitrarily  far  from  the  initial 
position). 

Now,  let  us  consider  an  extra  symbol  #  ^  E.  Then,  we 
define  the  TM  M'  =  (Q', B', T')  over  E  U  {#}  as 
follows;  Q'  =  QC  {qj},  =  qi^n,  F'  =  {g/j,  and 

E'  =  r  U  {(g,  #)  ->  (g/,  #)  :  g  G  Q}. 

This  means  that  M'  is  constructed  as  M  except  that 
all  accepting  states  of  M  are  rejecting  for  M'  and  that 
whenever  M'  sees  the  symbol  #,  it  stops  in  its  unique 
accepting  state  g/.  Let  us  prove  that  we  have  indeed 
LffM')  =  L{M). 

Consider  a  word  w  G  L{M).  Then,  there  exists  an 
accepting  run  of  M  on  w.  By  definition  of  M',  this  run 
is  rejecting  for  M'.  Let  N  be  size  of  the  space  used  by 
this  run.  It  can  be  seen  that  the  (N  -f-  l)-perturbed  version 
of  has  exactly  the  same  behavior  as  M.'  on  w  since 
perturbations  in  the  non-visited  part  of  the  configuration 
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have  no  effect.  Hence  w  ^  Lat+i,  and  consequently  w  ^ 
!/„  (Lemma  2). 

Consider  now  a  word  w  ^  L{M).  We  show  that  for 
every  n  >  0,  the  n-perturbed  version  of  M'  recognizes  w, 
which  implies  that  iv  belongs  to  Let  n  >  0  and 

let  us  exhibit  an  accepting  run  of  the  n-pcrturbed  version 
of  M'  on  w:  Suppose  that,  in  the  perturbed  machine, 
starting  from  the  initial  configuration,  two  symbols  at  the 
distance  n  +  1  to  the  left  and  to  the  right  from  the  head  arc 
replaced  by  the  symbol  #.  Then,  since  w  ^  L(M),  the 
machine  M  has  an  unbounded  run  on  w  (see  above  the 
initial  hypothesis  on  M).  Since  M'  has  all  the  transitions 
of  M,  it  has  also  the  same  unbounded  run  on  w,  visiting 
positions  arbitrarily  far  from  the  initial  position  of  the 
head.  Hence,  the  considered  run  of  the  n-perturbed 
version  of  M'  eventually  finds  the  #  symbol  and  goes  to 
the  accepting  state.  □ 

4  Results  on  PPAMs 

We  consider  now  the  case  of  perturbed  PAMs  and  show 
that  their  perturbed  reachability  relation  is  co-rccursivcly 
enumerable. 

Theorem  5  (Perturbed  reachability  is  co-r.e.)  The  rela¬ 
tion  R'^{\,y)  is  n°  onQ^'. 

Remember  that  in  the  case  of  TM,  the  proof  of  the  similar 
result  was  based  on  the  fact  that  the  n.-perturbed  TM  is  in 
fact  a  finite-state  system.  For  PAM.  this  actually  docs  not 
hold,  but  we  can  show  that  each  e-perturbed  PAM  can  be 
“faitfully  ”  approximated  by  a  finite-state  automaton  we 
define  hereafter: 

Consider  a  PAM  x  :=  /(x)  =  .4,x  -f  b,  for  x  € 
Pi,  i  =  I..N.  For  any  S  we  can  partition  A'  into 
finitely  many  cubes  Vi, . . .  V's  of  size  <5.  We  .say  that  1} 
is  a  (^-successor  of  V>  it  <  6,  that  is 

if  some  point  of  can  be  mapped  to  a  point  near  \j. 
Now  we  can  construct  a  finite  automaton  .4^  with  states 
Qs  =  {<7i  j  •  •  • !  <7.s}>  and  with  a  transition  from  q*.  to  qj  au¬ 
thorized  iff  Vj  is  a  if-succcssor  of  V/,..  Informally  speaking, 
the  automaton  .4^  represents  the  PAM  with  accuracy  S.  In 
order  to  formalize  it  we  introduce  the  following  abstrac¬ 
tion  function  from  A"  to  Qs'.  ('Va'(x)  =  q,  for  x  G  V, 

Lemma  4  (Simulation)  (l)foranye  >  0 //■||/(x)  —  y||  < 
e  (i.e.  the  e-perturhed  system  can  make  a  transition  from 
X  to  y)  then  the  automaton  A.  can  make  a  transition  from 
a.-(x)  to  ae(y);  (2)  for  any  <5  >  0  if  the  automaton  .4^  can 
make  a  transition  from  0(s(x)  to  a<5(y),  then  ||/(x)  —  y||  < 
C5  (i.e.  the  CS-pertiirhed  system  can  make  a  transition 
from  X  to  y),  where  C  is  a  rational  constant  independent  of 

S; 


Proof:  ( 1 )  Suppose  that  ||/(x)  -y||  <  e.  Letae(x)  =  qk 
anda.(y)  =  qj.  Then  dist{f{Vk),Vj)  <  dist{f{\),y)  < 
e.  Hence  by  definition  of  the  automaton  the  state  qj  is 
reachable  from  qk . 

(2)  Suppose  that  Qi(x)  =  qk  and  Q5(y)  =  qj 
and  the  state  qj  is  reachable  from  q*.  In  this  case 
dist{f{Vk),Vj)  <  J.  Hence  there  exist  xq  G  Vjt  and 
yo  G  Vj  such  that  ||/(xo)  -  yo||  <  d.  As  xq  and  x  are 
in  the  same  cube  I4  the  distance  between  them  is  inferior 
to  the  diameter  of  this  cube  \/d5.  The  same  is  true  for  yg 
and  y.  Finally 

ll/W  -  y||  <  ll/W  -  /(xo)ll  +  |i/(xo)  -  yoll  + 

+  llyo  “  y|l  <  L'/dS  -f  (5  -F  \/d6, 

where  the  Lipschitz  constant  L  can  be  found  as 
L  —  max,  ||.4i||.  We  can  take  now  C  >  Ls/d  -F  1  -F  s/d. 
□ 


Corollary  4  R^{x,y)  holds  iff  for  all  rational  <)  >  0  in 
the  automaton  As  the  state  ns(y)  is  reachable  from  aa(x). 

Hence  by  complementation  ^R^{x,y)  iff  for  some  ratio¬ 
nal  (5  >  0  the  state  0,5  (y)  is  unreachable  from  nrf(y)  in  the 
automaton  .4,5.  Unreachabiliiy  in  this  automaton  is  (uni¬ 
formly  in  5)  decidable  for  any  particular  (5,  and  hence  the 
relation  ^R/,  is  recursively  enumerable,  which  terminates 
the  proof  of  Theorem  5. 

Corollary  5  (Robust  =F  decidable)  If  R^  =  R^  then 
R^  is  recursive. 

Let  us  consider  now  the  converse  of  Theorem  5.  We 
prove  the  following  fact: 

Theorem  6  (Perturbed  reachability  is  complete  in  Hj) 

Let  Ad  be  a  TM.  We  can  effectively  construct  a  PAM  V 
and  an  encoding  e  :  E’  — >  (?"  such  that  for  any  word  w, 
the  following  fact  holds:  w  ^  L{M)  iff  R^(e{w),0). 

Proof:  W.I.o.g.  suppose  that  on  any  input  word  the  ma¬ 
chine  A4  either  stops  in  an  accepting  state,  or  computes 
forever.  First  we  construct  a  2-dimcnsional  PAM  Vo  (and 
an  input  encoding  r:  :  E*  — )■  (?")  that  simulates  M  and 
semi-recognizes  L{M)  as  described  in  [2].  Its  main  prop¬ 
erty  is  that  for  any  word  m  the  following  equivalence  holds: 
in  G  L{M)  iff  R(/.°{c{u!),0).  It  is  easy  to  verify  that  if  a 
rather  small  neighborhood  '  (e.g.  a  1/1 0-square)  of  the  ori¬ 
gin  is  reachable  from  c{in)  then  w  G  L{M).  The  last  use¬ 
ful  property  of  this  simulation  is  that  all  the  points  of  the 
trajectory  starting  from  efin)  arc  internal  points  of  polyhc- 
dra  P,. 

'representing  the  accepting  state  of  the  TM 
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Now  we  construct  a  new  3-dimensional  PAM  V  whose 
perturbed  version  will  “semi-recognize”  L{M).  We  will 
use  notation  x  or  y  for  2-dimensional  vectors  and  h  for 
the  third  dimension  (so  the  generic  element  of  will  be 
(x,/i)).  It  is  mainly  the  original  system  Vq  embedded  in 
the  plane  h  =  2  of  the  space  IR^.  However  there  are  2 
changes  (compare  with  the  proof  for  TMs)  —  informally: 

•  The  accepting  state  0  (with  his  small  neighborhood) 
of  the  original  system  Vq  becomes  rejecting  for  the 
new  system  V. 

•  The  zone  h  <  I  becomes  accepting  for  the  new  sys¬ 
tem. 

The  idea  is  that  for  any  w  £  L{M)  the  original  PAM  Vo 
will  eventually  arrive  to  O  (and  accept)  and  hence  the  per¬ 
turbed  PAM  V  will  arrive  to  the  neighborhood  of  O  x  {2} 
and  reject.  For  any  w  ^  L{M)  the  perturbed  PAM  V 
will  slowly  drift  “down”  until  it  reaches  the  accepting  zone 
h<l. 

Formally,  let  the  original  system  be  defined  on  a  subset 
of  the  cube  [—T,  T]-  C  1R~  by  equation  x  :=  /(x).  Denote 
the  squared  neighborhood  of  the  origin  [-0.1, 0.1]-  C  IR- 
by  C.  Then  the  new  system  will  be  defined  on  the  rectan¬ 
gular  set  [-T  -  1,  T  -I- 1]'-^  X  [-1,3]  C  IR^  by  the  equation 
X  :=  g{x,  h)  where  ^(x,  /?.)  is  defined  as  follows; 

•  if  1  <  <  3,  and  \  ^  C,  then  g{\,h)  =  (/(x),/i). 

Informally  speaking,  in  the  layer  1  <  /i  <  3  the  sys¬ 
tem  V  simulates  the  original  system  Vo  without  mod¬ 
ifying  h 

•  if  1  <  <  3  and  x  G  C,  then  g{x,  h)  is  undefined 

•  if  ft  <  1  we  go  to  the  origin  :  g{x,  ft)  =  (0, 0) 

The  input  encoding  function  for  the  system  V  is  as  follows: 
e(w)  =  (eo(w),  2)  where  eo  is  the  encoding  function  of  the 
original  system  V,. 

Now  we  have  to  prove  that  R^{e{w),0)  iff  w  0 
L{M).  Suppose  first  that  iv  0  L{M).  In  this  case  the  TM 
M  has  an  infinite-length  run  on  w  and  the  PAM  Vo  has  an 
infinite  trajectory  x^  starting  in  eo(w).  For  any  e  >  0  we 
can  construct  a  trajectory  g  of  the  e-perturbed  system  V  as 
follows: 

•  gn  =  (x„  ,2  —  en)  for  n  G  [0,  [1  /e]  ] ;  during  the  first 
[1/s]  time  units  the  system  simulates  Vo  along  first 
two  dimensions  slowly  drifting  down  in  the  third  one 

•  g„  =  0  for  n  >  [1/s]  the  trajectory  jumps  to  the 
origin  and  stays  there. 

It  is  easy  to  see  that  is  a  trajectory  of  the  s-perturbed 
system,  and  hence  R^ (e(w),0)  holds. 


Now  consider  the  other  case  when  w  ^  L{M).  Then 
the  trajectory  x„  of  Vo  starting  in  eo(u;)  eventually  arrives 
to  the  origin.  The  non-perturbed  trajectory  of  V 
starting  in  e{w)  will  follow  x„  in  the  plane  ft  =  2  until  it 
reaches  the  neighborhood  C  of  the  origin.  Once  in  this 
neighborhood  the  system  V  dies  immediately.  The  only 
thing  to  verify  is  that  all  perturbed  trajectories  of  V  starting 
in  e{w)  are  close  enough  to  gn  for  s  small  enough.  Let  T 
be  the  time  of  arrival  to  the  origin  (i.e.  such  that  gr  =  0), 
A  —  max{l,  ||Aj||}  and  d  =  min  dist{xn,  dPii„)).  If  we 

take  e  <  6A~^,  then  a  straightforward  induction  shows 
that  any  e-perturbed  trajectory  g],  is  close  to  gn  and  the 
same  affine  maps  are  applied  until  it  enters  the  deadly 
neighborhood  of  the  origin.  □ 


Theorem  7  All  the  results  stated  in  this  section  can  be 
proved  in  a  very  similar  manner  for  Linear  hybrid  au¬ 
tomata  (LHA). 

5  Results  on  PPCDs 

We  consider  finally  the  case  of  PCDs  and  prove  the 
same  results  as  for  PAMs  (and  LHAs).  The  overall  struc¬ 
ture  of  the  proofs  is  the  same  as  in  the  previous  case.  How¬ 
ever,  the  proofs  for  the  two  kinds  of  models  are  technically 
different  due  to  the  fact  that  the  rules  for  accumulating  er¬ 
rors  (resulting  from  perturbations)  are  different  for  each 
of  these  models.  An  e-perturbation  of  a  PAM  results  in 
moving  the  state  by  e  in  any  direction  at  each  transition, 
which  ensures  the  simulation  lemma  4  (the  same  holds  in 
the  LHA  model).  Differently  from  this,  a  perturbed  trajec¬ 
tory  in  an  e-perturbed  PCD  deviates  from  the  ideal  trajec¬ 
tory  after  crossing  a  region  by  ~  re,  where  r  stands  for  the 
time  needed  to  cross  this  region,  and  this  time  depends  on 
the  entry  point  to  a  region  and  the  slope  at  this  region  and 
cannot  be  bounded  from  below. 

Our  solution  to  this  consists  in  observing  (and  approxi¬ 
mating  by  an  automaton)  the  states  of  the  PCD  only  when 
it  enters  some  special  good  regions.  In  a  non-Zeno  system, 
the  time  r'  between  consecutive  visits  of  good  regions  is 
bounded  from  below  and  the  accumulated  error  ~  r'e  is 
large  enough  to  ensure  simulation. 

Theorem  8  (Perturbed  reachability  is  co-r.e.)  The  rela¬ 
tion  i?//(x,  y)  onQ'^  is  in  11°. 

We  proceed  in  a  similar  manner  as  for  PAMs:  We  approx¬ 
imate  the  e-perturbed  system  by  a  finite-state  automaton. 
However,  relations  between  the  system  and  the  automaton 
are  somewhat  subtler.  First  of  all,  let  N  be  the  number  of 
regions  in  the  PCD,  and  q  >  0  a  positive  constant  specified 
below.  Without  loss  of  generality  we  can  suppose  that  the 
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norm  used  in  the  definition  of  e-perturbed  system  is  ||  ■  ||oo, 
which  means  that  e-ball  centered  in  a  pointx  is  in  fact  a 
cube  with  side  2£.  Let  us  introduce  now  some  definitions: 

Definition  3  (Good  points)  A  point  x  on  the  boundary  of 
a  region  is  good  if  the  trajectory’  starting  front  x  does  not 
change  direction  during  at  least  a  time.  Formally  let  c  = 
/(x)  he  the  slope  in  x.  Then  the  vector  field  /(y)  should  he 
constant  (and  equal  to  c)  for  all  y  £  [x,  x  +  ac] 

Lemma  5  (Good  regions)  The  set  G  of  all  good  points  is 
a  finite  union  of  polyhedra  of  dimensionality  <  d. 

The  following  lemma,  saying  that  the  good  regions  are 
visited  often,  enough  follows  from  the  strong  non-zcnoncss 
of  the  PCD. 

Lemma  6  Each  perturbed  trajectoty  crossing  N  regions 
visits  a  good  region  at  least  once. 

Let  us  sec  now  how  wc  define  an  “approximating  au¬ 
tomaton”:  For  any  S  we  ean  partition  G  into  finitely 
many  polyhedra  Li, . . .  I  s  of  size  We  say  that  1}  is 
a  (^-successor  of  f  ).  if  there  exists  a  trajectory  of  the  A- 
perturbed  system  no  more  than  N  links  from  an  x  €  i). 
to  an  y  £  Vj.  It  is  easy  to  sec  that  the  property  of  being  a 
(5-sucecssor  ean  be  reduced  to  a  linear  programming  prob¬ 
lem,  and  hence  is  decidable. 

Then,  wc  can  construct  a  finite  automaton  .1,5  with  stales 
Qs  =  {(/]  1  •  ■  •  1 17.S'}.  and  with  a  transition  from  r/*.  to  tjj  au¬ 
thorized  iff  V}  is  a  ^-successor  of  1 Informally  speaking, 
the  automaton  .4^  represents  the  ^'-perturbed  PCD  with  ac¬ 
curacy  S.  In  order  to  formalize  it  wc  introduce  the  follow¬ 
ing  r//;.vfrar/(V;/i/;;nfr(V;/)  from  A'  to  Qs'  <:>,((x)  =  q,  for  x  £ 
Vj. 

Hereafter,  wc  explore  in  which  sense  .4^  simulates  TLy. 

Lemma  7  (Quasi-Simulation)  Let  x.  y  £  G  he  two  good 
points.  (!)  for  any  £  >  0  if  the  £-perturhed  .system  can  go 
from  X  to  y  via  a  trajectory  with  less  than  N  links,  then  the 
automaton  .4^  can  make  a  transition  from  o?  (x)  to  o,-(y),' 
(2)  for  any  i5  >  0  if  the  automaton  .4^  can  make  a  tran¬ 
sition  from  ns(\)  to  n^(y),  then  CS-perturhed  .system  can 
go  from  X  to  a  good  point  y'  via  a  trajectoiy  with  less  than 
N  links,  where  C  is  a  rational  constant  independent  of  (5, 
and  as{y)  =  rv^jy'),- 

Corollary  6  (Many  steps)  Let  x,y  £  G  he  two  good 
points.  (!)  for  any  e  >  0  if  the  e-perturhed  .system  has 
a  trajectory  from  \  to  y  ,  then  the  automaton  .4^  has  a  run 
from  ac(x)  to  rt.-(y),'  (2)  for  any  (5  >  0  if  the  automa¬ 
ton  As  has  a  run  from  ns{\)  to  ns{y),  then  CS-perturhed 
system  has  a  trajectory  from  x  to  a  good  point  y'),  where 

asiy)  =  ftrf(y'). 


It  is  still  not  the  result  that  wc  want,  because  first  it  con¬ 
cerns  only  reachability  between  good  points,  and,  second, 
the  target  point  y  is  replaced  by  a  neighbor  point  y'. 

In  order  to  deal  with  these  two  issues  wc  introduce  the 
following  (5-tcst  for  perturbed  reachability  between  arbi¬ 
trary  points.  First  of  all  wc  construct  the  As  automaton. 
Next,  we  proceed  in  three  steps: 

1.  Find  the  set  Si  of  indices  i  such  that  Vj  is  reach¬ 
able  by  TLs  from  x  via  a  trajectory  with  less  then  N 
links.  This  can  be  done  algorithmically  using  linear 
programming. 

2.  Find  the  set  S-z  of  indices  of  all  the  states  qj  of  the  .4^ 
automaton  reachable  in  this  automaton  from  {<7,  |  i  £ 
5i}.  This  is  a  reachability  problem  in  a  finite-state 
automaton. 

3.  For  each  j  £  S-y  test  whether  y  is  reachable  by  'Hs 
from  1}  via  a  trajectory  with  less  then  N  links.  This 
can  be  solved  as  in  the  first  step  using  linear  program¬ 
ming.  In  ea.se  of  positive  answer  for  any  j  £  52,  the 
d-lcst  succeeds,  otherwise  it  fails. 

Notice  that  (^'-test  always  terminates.  Then,  it  is  easy  to  see 
that  the  following  fact  holds: 

Lemma  8  (Correctness  of  (5-tesf)  For  any  two  points  x 
and  y  (J)  if  B^fx.y).  then  S-te.st  succeeds  for  x  and  y. 
(2)  If  S-te.st  succeeds  for  x  and  y,  then  /?(f_j(x.  y). 

Corollary?  (x.y)  ^  if  and  only  if  for  some  n  £  N 
the  l/ii -test  fails  for  x  and  y. 

By  the  corollary  above,  a  semi-decision  algorithm  for 
-'7?^  is  immediate,  which  terminates  the  sketch  of  prool' 
of  Theorem  8. 

Corollary  8  (Robust  =;>  decidable)  If  R^^  =  R^^  then 
R*^  is  recursive. 

Finally,  wc  can  prove  the  converse  result  of  Theorem  8. 
The  proof  is  given  in  the  appendix. 

Theorem  9  (Perturbed  reachability  is  complete  in  If'/) 
Let  .44  he  a  TM.  We  can  effectively  construct  a  PCD 
FL  and  an  encoding  c  :  5*  — >  Q"  such  that  for  any 
word  w  the  foUowint’  equivalence  holds:  w  ^  L{Jv[)  iff 
R'^(c(w),0). 

6  Conclusion 

We  have  shown  that  when  we  consider  infinitesimal  per¬ 
turbations  in  the  dynamics  of  a  system,  the  reachability  re¬ 
lation  becomes  co-rccursivciy  enumerable,  which  proves 
that  robust  systems  arc  decidable.  It  is  interesting  to  ob¬ 
serve  that  these  results  hold  for  several  different  discrete 
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and  continuous  time  models  of  dynamic  systems,  which 
shows  that  they  correspond  to  a  general  phenomenon.  The 
proofs  of  these  results  have  also  a  common  scheme,  al¬ 
though  they  differ  significantly  depending  from  the  speci¬ 
ficity  of  the  dynamics  of  each  class  of  models. 

Our  results  establish  a  tight  link  between  the  notions  of 
decidability  and  robustness  for  infinitesimal  perturbations. 
This  link  is  of  a  semantical  nature.  An  interesting  question 
is  to  find  sufficient  “syntactical”  conditions  on  the  models 
of  dynamical  systems  ensuring  their  robustness,  leading  to 
decidability  results  for  classes  of  dynamical  systems. 
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A  Proof  of  Theorem  9 

The  idea  of  this  proof  is  similar  to  the  case  of  PAMs 
(Theorem  6).  We  take  a  PCD  Tfo  simulating  the  machine 
M,  and  add  one  more  dimension  h.  We  start  at  the  level 
/i  =  4.  Accepting  states  of  the  PCD  Tio  become  reject¬ 
ing  in  the  new  PCD  TL.  In  order  to  be  accepting  in  Tl  the 
trajectory  should  go  down  and  reach  the  plane  /i  =  0.  It 
is  possible  for  arbitrarily  small  e  only  if  the  original  PCD 
Ho  can  evolve  during  arbitrarily  long  time,  that  is  the  per¬ 
turbed  version  of  Tl  accepts  a  word  iff  TLo  does  not  accept 
it. 

First  let  us  construct  a  4-dimensionaI  PCD  TIq  (and  an 
input  encoding  e  :  S*  — (?")  which  simulates  M  and 
semi-recognizes  L{M)  as  described  in  [3].  Its  main  prop¬ 
erty  is  that  for  any  word  w  the  following  equivalence  holds. 
w  e  L{M)  if  and  only  if  O)  It  is  easy  to  verify 

that  if  a  rather  small  neighborhood  (e.g.  a  1/10-ball)  of  the 
origin  is  reachable  from  e(u;)  then  w  G  L{M). 

Now  we  construct  a  new  5-dimensional  PCD  Ti  whose 
perturbed  version  will  “semi-recognize”  L{M).  We  will 
use  notation  x,  y  for  4-dimensional  vectors  and  h  for  the 
fifth  dimension  (so  the  generic  element  of  will  be 
(x, /i)).  It  is  mainly  the  original  system  Tlo  submerged  in 
the  hyperplane  /i  =  3  of  the  space  IR^ .  However  there  are  2 
changes  (compare  with  the  proof  for  PAMs)  —  informally: 

•  The  accepting  state  O  (with  his  small  neighborhood) 
of  the  original  system  Tlo  becomes  rejecting  for  the 
new  system  Ti 

•  The  zone  h  <  1  becomes  accepting  for  the  new  sys¬ 
tem 

The  idea  is  that  for  any  w  €  L(M)  the  original  PCD 
Tlo  will  eventually  arrive  to  O  (and  accept)  and  hence  the 
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perturbed  PCD  Ti  will  arrive  to  the  neighborhood  of  O  x  2 
and  reject.  For  any  w  ^  L{M)  the  perturbed  PCD  V.  will 
slowly  drift  “down”  until  it  reaches  the  accepting  zone  h  < 
1. 

Formally,  let  the  original  system  be  defined  on  a  subset 
of  the  cube  [—T,  T]*  C  IR'^  by  equation  x  =  /(x).  Denote 
the  cubic  neighborhood  of  the  origin  [—0.1, 0.1]^  C  ]R^ 
by  C. 

Then  the  new  system  will  be  defined  on  the  rectangular 
set  [-T  -  1,T  +  1]“*  X  [-1,5]  C  by  the  equation 
(x,  h)'  =  g{\,  h)  where  g(x,  h)  is  defined  as  follows: 

•  if  h  >  4,  then  g(x,  h)  —  (0, 1)  :  anything  that  arrives 
in  the  layer  /i  >  4  goes  “up”  and  is  rejected 

•  if  2  <  <  4  and  /(x)  is  defined,  then  g{x.h)  = 

(/(x),0).  Informally  speaking,  in  the  layer  2  <  h  < 
4  the  system  R  simulates  the  original  system  Ho 

•  if  2  <  h  <  4  and  x  €  C  ,  then  ^(x.  h)  =  (0, 1) 

•  if  2  <  li  <  4  and  /(x)  is  undefined,  then  gix,fi)  = 
(0,1) 

•  if  1  <  li  <  2  we  go  down  :  g{x,  h)  —  (0,  —1) 

•  finally  in  the  layer  —  1  <  /;  <  1  we  put  a  (piecewise 
constant)  vector  field  with  all  the  trajectories  going  to 
the  origin. 


The  input  encoding  function  for  the  system  H  is  as  fol¬ 
lows:  e{tu)  =  (eo(m),3)  where  cq  is  the  encoding  function 
of  the  original  system  Ho- 

Now  we  have  to  prove  that  R^(e(w),0)  if  and  only  if 
notu>  ^  L{M).  Suppose  first  that  u;  ^  L{M).  In  this  case 
the  TM  M  has  an  infinite-length  run  on  w  and  the  PCD  Ho 
has  an  infinite  trajectory  x{t)  starting  in  eo(w).  For  any 
£  >  0  we  can  construct  a  trajectory  g  of  the  £-perturbcd 
system  H  as  follows: 

•  5(0  =  (x(f ) ,  3  —  e( )  for  f  £  [0, 1/e] ;  during  the  first 
1/e  time  units  the  system  simulates  Ho  along  first 
four  dimensions  slowly  drifting  down  in  the  fifth  one 

•  5(0  =  (x(l/e),2-(<-l/£))forf  G  [1/e;  1/e-f  1] — 
the  next  trajectory  segment  goes  straight  down  with 
unit  velocity  during  one  time  unit. 

•  The  last  trajectory  segment  goes  straight  to  the  origin. 

Now  consider  the  other  case  when  lu  ^  L(M).  Then 
the  trajectory  x{t)  of  Ho  starting  in  eo{tu)  eventually  ar¬ 
rives  to  the  origin.  The  non-perturbed  trajectory  g{t)  of  H 
starting  in  e{w)  will  follow  x(()  in  the  plane  ft  =  3  until 
it  reaches  the  neighborhood  C  of  the  origin.  Once  in  this 
neighborhood  the  system  H  goes  straight  up  to  the  death. 
The  only  thing  to  verify  is  that  all  perturbed  trajectories 
of  H  starting  in  £(?/.')  arc  close  enough  to  g{t)  for£  small 
enough.  This  can  be  done  similarly  to  PAMs. 
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Abstract.  Dynamic  programs,  or  fixpoint  itera¬ 
tion  schemes,  are  useful  for  solving  many  problems 
on  state  spaces,  including  model  checking  on  Kripke 
structures  (“verification”),  computing  shortest  paths 
on  weighted  graphs  (“optimization”),  computing  the 
value  of  games  played  on  game  graphs  (“control”).  For 
Kripke  structures,  a  rich  fixpoint  theory  is  available 
in  the  form  of  the  //-calculus.  Yet  few  connections 
have  been  made  between  different  interpretations  of 
fixpoint  algorithms.  We  study  the  question  of  when 
a  particular  fixpoint  iteration  scheme  for  verifying 
an  w-regular  property  4'  on  a  Kripke  structure  can 
be  used  also  for  solving  a  two-player  game  on  a  game 
graph  with  winning  objective  "k.  We  provide  a  suf¬ 
ficient  and  necessary  criterion  for  the  answer  to  be 
affirmative  in  the  form  of  an  extremal-model  theorem 
for  games:  under  a  game  interpretation,  the  dynamic 
program  ip  solves  the  game  with  objective  $  if  and 
only  if  both  (1)  under  an  existential  interpretation  on 
Kripke  structures,  p  is  equivalent  to  3^,  and  (2)  un¬ 
der  a  universal  interpretation  on  Kripke  structures,  p 
is  equivalent  to  In  other  words,  p  is  correct  on 
all  two-player  game  graphs  iff  it  is  correct  on  all  ex¬ 
tremal  game  graphs,  where  one  or  the  other  player  has 
no  choice  of  moves.  The  theorem  generalizes  to  quan¬ 
titative  interpretations,  where  it  connects  two-player 
games  with  costs  to  weighted  graphs. 

While  the  standard  translations  from  w-regular 
properties  to  the  //-calculus  violate  (1)  or  (2),  we  give 
a  translation  that  satisfies  both  conditions.  Our  con¬ 
struction,  therefore,  yields  fixpoint  iteration  schemes 
that  can  be  uniformly  applied  on  Kripke  structures, 
weighted  graphs,  game  graphs,  and  game  graphs  with 
costs,  in  order  to  meet  or  optimize  a  given  w-regular 
objective. 
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1  Introduction 

If  is  a  property  of  a  Kripke  structure,  then  every  //- 
calculus  formula  p  that  is  equivalent  to  4*  prescribes 
an  algorithm  for  model  checking  This  is  because 
the  //.-calculus  formula  p  can  be  computed  by  itera¬ 
tive  fixpoint  approximation.  Indeed,  the  /i-calculus 
has  been  called  the  “assembly  language”  for  model 
checking. 

In  control,  we  are  given  a  two-player  game  struc¬ 
ture  and  an  objective,  and  we  wish  to  find  out  if 
player  1  (the  “controller”)  has  a  strategy  such  that 
for  all  strategies  of  player  2  (the  “plant”)  the  out¬ 
come  of  the  game  meets  the  objective.  If  the  out¬ 
come  of  a  game  is  an  infinite  sequence  of  states,  then 
objectives  are  naturally  specified  as  w-regular  prop¬ 
erties  [15].  A  simple  but  important  objective  is  the 
reachability  property  OT,  for  a  set  T  of  states,  which 
asserts  that  player  1  wins  if  it  can  direct  the  game 
into  the  target  set  T,  while  player  2  wins  if  it  can 
prevent  the  game  from  entering  T  forever.  We  write 
{(l))OT  for  the  reachability  game  with  target  T  for 
player  1.  A  dynamic  program  for  solving  the  reach¬ 
ability  game  can  be  viewed  as  evaluating  a  fixpoint 
equation,  namely, 

{{\))OT  =  iax.{T  V  lPre[x)), 

where  lPre{T)  is  the  set  of  states  from  which  player  1 
can  force  the  game  into  T  in  a  single  step.  It  is  not 
difficult  to  see  that  this  fixpoint  equation  is  identical 
to  the  //-calculus  expression  for  model  checking  the 
reachability  property  30r,  namely, 

30r  =  jix.{T  V  EPre{x)),  (1) 

except  for  the  use  of  the  predecessor  operator  EPre  in 
place  of  IPre,  where  EPre{T)  is  the  set  of  states  that 
have  a  successor  in  T. 

For  every  w-regular  property  $,  it  is  well-known 
how  to  construct  an  equivalent  //-calculus  formula  p 
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[7,  4],  which  can  then  be  used  to  model  check  3$, 
i.e.,  to  compute  the  set  of  states  from  which  there  is  a 
path  satisfying  4'.  Now  suppose  we  want  to  solve  the 
control  problem  with  objective  4'.  The  question  we 
set  out  to  answer  in  this  paper  is  whether  ip  is  of  any 
use  for  this  purpose;  more  specifically,  if  we  simply 
replace  all  EPre  operators  in  <p  by  IPre  operators, 
do  we  obtain  an  algorithm  for  solving  the  game  with 
objective  4/,  i.e.,  for  computing  the  set  of  states  from 
which  player  1  can  ensure  that  4'  holds? 

In  general,  the  answer  is  negative.  Consider  the 
co-Biichi  property  ODT,  which  asserts  that,  eventu¬ 
ally,  the  target  T  is  reached  and  never  left  again.  The 
Emerson-Lei  translation  [7]  yields  the  equivalent  //- 
calculus  formula 

30nT  =  p,x.{EPre{x)  \/  {i'y.EPre{y)  AT)).  (2) 

The  Dam  translation  [4]  gives 

30DT  =  px.(EPrc{x)W(TAEPre(inj.(TAEP7V.(ij))))), 

(3) 

and  Bhat-Ck^aveland  [2]  produce  tlu'  same  result.  But 
neither  of  these  formulas  give  the  correct  solution  for 
gamtis.  To  see  this,  consider  the  following  game  on  the 
state  space  {.si,,s'2,.s:j}.  At  .si.  player  2  can  i>lay  two 
moves:  one  of  them  keejts  the  game  in  .S),  the  other 
takc's  the  game  to  .so.  At  .sj.  player  1  can  play  two 
move's:  oiu'  of  them  kee]rs  the  game  in  .<>2,  the  other 
takes  the  game  to  .s:j.  Once  in  .sa,  the  game  remains 
in  sa  forever.  The  target  set  is  T  =  {.S|..s-a}.  Then. 
((l))OOT  =  {.si ,  Sa,  .s’a}.  However,  both  eciuations  (2) 
and  (3)  denote  the  smaller  set  {.s-a,.*!;!}  when  EPir  is 
replaced  by  IPre. 

We  present  an  extremal-model  theorem  which  says 
that  the  hxjroint  formula  p  over  IPie  solves  the  game 
with  m-regular  objective  4*  if  and  only  if  both  of  the 
following  conditions  arc  met: 

E  The  EPi'c  version  of  p  is  ctpiivalent  to  the  exis¬ 
tential  i)ropcrty  34*. 

A  The  APxe  version  of  p  is  equivalent  to  tin'  uni¬ 
versal  jjroperty  V^.  (Here,  APr(:{T)  is  the  set 
of  states  all  of  whose  successors  lie  in  T,  and  V4' 
holds  at  a  state  if  all  paths  from  the  state  sat¬ 
isfy  4/.) 

In  other  words,  for  a  fixpoint  formula  p  to  solve  the 
game  with  m-regular  objective  4*,  it  is  not  only  neces¬ 
sary  but  also  sufficient  that  p  coincides  with  4*  under 
the  two  extremal,  non-game  interpretations.  In  the  co- 
Biichi  example,  while  the  expressions  (2)  and  (3)  sat¬ 
isfy  condition  E  of  the  extremal-model  theorem,  they 
violate  condition  A.  By  contrast,  in  the  reachability 


example,  the  expression  (1)  meets  also  condition  A, 
because 

VOT  =  px .{T  y  APre{x)) . 

We  show  constructively  that  for  every  m- regular  ob¬ 
jective  4*  there  is  indeed  a  fixpoint  formula  p  which 
meets  both  conditions  of  the  extremal-model  theorem. 
The  construction  is  based  on  the  determinization  of 
m-automata  [12,  13],  and  on  the  translation  from  al¬ 
ternating  m-automata  to  p-calculus  [5].  In  particular, 
for  the  co-Biichi  property  we  obtain 

((l))Onr  =  px.vy.{lPrc.{x)\/  [lPrc.{y)  AT)).  (4) 

The  reader  may  check  that  both 

30nT  =  iix.vy.[EPre{x)  V  [EPre{y)  A  T)), 

VODT  =  itx.iyy.{APre{x)y  {APrc{y)  AT)). 

In  general,  our  translation  provides  optimal  algo¬ 
rithms  for  solving  games  with  m-regular  objectives:  in 
particular,  if  the  objc'ctive  is  given  by  a  formula  'P  of 
linear  temporal  logic,  then  the  resulting  algorithm  lias 
a  2EXPTIME  conqilexity  in  the  h'ligth  of  'P  [1 1]. 

Our  ri'sults  also  shed  light  on  a  rt'lated  (piestion: 
given  a  “verification"  //-calculus  formula  p,.  that  list's 
only  tilt'  predecessor  oper/itor  EPre.  what  is  tlit'  rt'la- 
tion  betwt'eii  p^.  and  its  “coiitror'  version  p,..  obtaint'd 
by  reiihicing  EPre  with  7P/c?  From  [6]  we  know  tlmt 
if  p^.  is  drtrrinunstic.  i.t'.,  if  ('very  conjunction  in  p,. 
has  at  h'ast  out'  constant  argiimc'iit.  then  p,.  speci- 
fit's  an  m- regular  langiiagt':  that  is,  p,.  is  etiiiivah'nt 
to  34'  for  SOUK'  m-rt'giilar  prtqierty  4/.  We  introdiict' 
the  syntactic  class  of  strnnyly  dr.ierministic  //-calculus 
formulas,  a  subclass  of  the  dt'terniinistic  formulas,  and 
we  sliow  that  if  p^■  is  strongly  dt'tt'rministic,  tlu'ii  p,. 
.solves  th('  verification  problem  for  siiecification  34'  iff 
p(.  solves  the  control  probh'in  for  objectivt'  4'.  This 
correspondence  does  not  hold  in  general  for  dett'rniin- 
istic  formulas. 

W  e  extt'iul  the  connection  between  verification  and 
control  also  to  quantitative.  propertit'S.  Consider  a 
grajili  with  nonnegative  edge  weights,  which  reprt'- 
sent  costs.  By  dt'fining  an  aiiproiiriate  quantitative 
predecessor  oiierator  Pre . ,  the  dynamic  iirogrnm  for 
reachability.  px.[T  M  E/yu  (./:)),  computes  the  cost  of 
the  shortest  path  to  the  target  T.  Similarly,  consider 
a  game  whose  moves  incur  costs.  Then  again,  for  a 
suitable  quantitative  iiredecessor  ojierator  IPrr.f,  the 
dynamic  program  //.r,(rv  IPrc  ,  (:/:))  computes  the  real 
value  of  tlu'  game,  which  is  defined  as  the  minimal 
cost  for  player  1  to  reach  the  target  T  (or  infinity,  if 
player  1  has  no  strategy  to  reach  T).  For  general  m- 
regular  objectives,  we  define  the  cost  of  the  infinite 


280 


outcome  of  a  game  as  the  cost  of  the  shortest  (possi¬ 
bly  finite)  prefix  that  is  a  witness  to  the  objective.  We 
show  that  the  extremal-model  theorem  applies  to  this 
quantitative  setting  also.  This  gives  us  dynamic  pro¬ 
grams  for  solving  the  real-valued  games  with  respect 
to  all  cj-regular  objectives.  For  example,  equation  (4) 
with  IPre  replaced  by  IPrej:  specifies  a  dynamic  pro¬ 
gram  for  the  quantitative  co-Biichi  game,  whose  value 
is  the  minimal  cost  for  player  1  to  reach  and  stay  inside 
the  target  T  (this  cost  is  infinite  unless  player  1  can 
enforce  an  infinite  sequence  of  moves  all  but  finitely 
many  of  which  have  cost  0). 

2  Reachability  and  Safety 

We  define  our  setting,  and  in  doing  so,  review  some 
well-known  results  about  iterative  solutions  for  sim¬ 
ple  verification,  optimization,  and  control  problems, 
where  the  objective  is  to  reach  or  avoid  a  given  set  of 
states  (expending  minimal  cost). 

2.1  Game  structures 

We  define  game  structures  over  a  global  set  A  of  ac¬ 
tions,  and  a  global  set  P  of  propositions.  A  (two- 
player)  game  structure  G  =  (5, ri,r2,d,  (•))  (over  A 
and  P)  consists  of  a  finite  set  5  of  states,  two  action 
assignments  ri,r2:  5— »2‘^\0  which  define  for  each 
state  two  nonempty,  finite  sets  of  actions  available  to 
player  1  and  player  2,  respectively,  a  transition  func¬ 
tion  6:  S'xAxA-^S  which  associates  with  each  state 
s  and  each  pair  of  actions  a  €  ri(s)  and  b  e  r2(s)  a 
successor  state,  a  weight  function  w:  5  x  T  x  yi  — ^  1R>0 
which  associates  with  each  state  s  and  each  pair  of  ac¬ 
tions  a  g  ri(s)  and  6  €  r2(s)  a  nonnegative  real,  and 
a  proposition  assignment  (•):  5  — »  2^  which  defines 
for  each  state  s  a  finite  set  (s)  C  P  of  propositions  that 
are  true  in  s.  Intuitively,  at  state  s,  player  1  chooses  an 
action  a  from  ri(s)  and,  simultaneously  and  indepen¬ 
dently,  player  2  chooses  an  action  b  from  r2(s).  Then, 
the  game  proceeds  to  the  successor  state  S{s,  a,  b).  The 
nonnegative  real  w{s,  a,  b)  represents  the  “cost”  of  the 
transition  6{s,  a,  b)  (if  it  is  to  be  minimized),  or  a  “re¬ 
ward”  (if  it  is  to  be  maximized).  Given  a  proposition 
p  £  P,  a.  state  s  g  5  is  called  a  p-state  iff  p  g  (s).  If 
S  is  not  given  explicitly,  then  we  write  to  denote 
the  state  space  of  the  game  structure  G. 

Game  structures  are  “concurrent”  [1];  they  subsume 
“turn-based”  game  structures  (i.e.,  and-or  graphs), 
where  in  each  state  at  most  one  of  the  two  players  has 
a  choice  of  actions.  A  special  case  of  turn-based  games 
are  the  one-player  structures.  A  one-player  structure 


is  either  a  player- 1  structure  or  a  player-2  structure. 
The  game  structure  G  is  a  player- 1  structure  if  r2(s) 
is  a  singleton  for  all  states  s  g  5;  and  G  is  a  player-2 
structure  if  ri(s)  is  a  singleton  for  all  s  g  5.  In  player- 

1  structures,  player  2  has  no  choices,  and  in  player- 

2  structures,  player  1  has  no  choices.  Every  game 
structure  G  defines  an  underlying  transition  structure 

=  (5,  — (■)),  where  for  all  states  s,t  £  S,  we  have 
s  — >  t  iff  there  exist  actions  a  £  ri(s)  and  b  £  r2(S) 
such  that  6{s,a,b)  =  t.  Transition  structures  do  not 
distinguish  between  individual  players. 

Restrictions  of  game  structures.  A  player-1  re¬ 
striction  of  the  game  structure  G  =  (5, ri,r2,i5,  (•)) 
is  a  game  structure  of  the  form  Gi  =  (5, rj,r2,5,  (•)) 
with  r'i(s)  C  ri(s)  for  all  states  s  £  S.  Symmetri¬ 
cally,  a  player-2  restriction  of  G  is  a  game  structure 
of  the  form  G2  =  (5, Fi ,  T^,  5,  (•))  with  r^(s)  C  r2(s) 
for  all  s  £  S.  In  other  words,  for  i  =  1,2,  a  player- 
i  restriction  of  a  game  structure  restricts  the  action 
choices  that  are  available  to  player  i. 

Strategies  and  runs.  Consider  a  game  structure 
G  =  (5,ri,r2,d,  (•)).  A  player-i  strategy,  for  i  =  1,2, 
is  a  function  5"^  — »  A  that  maps  every  nonempty, 
finite  sequence  of  states  to  an  action  available  to 
player  i  at  the  last  state  of  the  sequence;  that  is, 
G(s-s)  €  Fi(s)  for  every  state  sequence  s  £  S*  and  ev¬ 
ery  state  s  £  S.  Intuitively,  ^i{s-s)  indicates  the  choice 
taken  by  player  i  according  to  strategy  G  if  the  current 
state  of  the  game  is  s,  and  the  history  of  the  game  is  s. 
We  write  Ei  for  the  set  of  player-i  strategies.  We  dis¬ 
tinguish  the  following  types  of  strategies.  The  strategy 
G  is  memoryless  if  in  every  state  s  £  S,  the  choice  of 
player  i  depends  only  on  s;  that  is,  G(s  ■  s)  =  G(s)  for 
all  state  sequences  s  £  S*.  The  strategy  G  is  finite- 
memory  if  in  every  state  s  £  S,  the  choice  of  player  i 
depends  only  on  s,  and  on  a  finite  number  of  bits  about 
the  history  of  the  game;  the  formal  definition  is  stan¬ 
dard  [5]. 

A  run  r  of  the  game  structure  G  is  a  nonempty, 
finite  or  infinite  sequence  so{ao,bo)si{ai,bi)s2  ■  ■  ■  of 
alternating  states  sj  £  S  and  action  pairs  {aj,bj)  £ 
Fi(sj)  X  r2(sj)  such  that  s^+i  =  6{sj,aj,bj)  for  all 
j  >  0.  The  first  state  sq  is  called  the  source  of  the  run. 
The  weight  of  the  run  is  w{t)  =  Ej>ow{sj,aj,bj); 
the  weight  w{r)  is  either  a  real  number,  or  infinity 
(if  the  sum  diverges).  Let  G  £  -i  and  G  £  -2 
be  a  pair  of  strategies  for  player  1  and  player  2,  re¬ 
spectively.  The  outcome  J?j,_^j(s)  from  state  s  £  S 
of  the  strategies  G  and  G2  is  a  source-s  infinite  run 
of  G,  namely,  R^,^^^{s)  =  so(ao, &o)si(ai , &i)s2  •  •  • 
such  that  (1)  So  =  s  and  (2)  for  all  j  >  0,  both 
Uj  —  G  (sq^i  *  *  ’  )  and  bj  —  G  (*^0  ■  Sj ) . 
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Figure  1:  Boolean  game  and  transition  predecessor  operators 


2.2  Single-step  verification  and  control 

Values  and  valuations.  A  value  lattice  is  a  complete 
lattice  {V,  U,  □,  T,  1)  of  values  V  with  join  LI,  meet  n, 
top  element  T,  and  bottom  element  1.  Given  u,v  G 
V,  we  write  u.  C  u  iff  w,  =  w  fl  v.  Consider  a  game 
structure  G  —  (S,  Fi ,  r2,  (•)).  A  valuation  f  for  G  on 

the  value  lattice  V  is  a  function  from  states  to  values; 
that  is,  f:S-^  V.  The  set  [S  — »  V^]  of  valuations  is 
again  a  lattice,  with  the  lattice  operations  (U,  D,  T,  ±) 
defined  pointwise;  for  example,  for  two  valuations  /i 
and  /j,  we  have  (/i  U  /2)(a')  =  fi{s)  U  for  all 
states  .s  6  5.  If  /:  5  — »  V'  is  a  valuation  such  that 
f{s)  6  {T,l}  for  all  states  .s  6  5,  then  by  — /  we 
denote  the  “complementary”  valuation  with  —f{s)  = 
T  if  /(,s)  =  1,  and  -/(.s)  =  1  if  /(.s)  =  T.  For  a  set 
r  C  5  of  states,  we  write  [T]:  5-^1'  for  the  valuation 
with  [T]{s)  =  T  if  6  r,  and  [T](.s)  =  1  if  .s  ^  F. 
For  a  i)ro])Osition  p  &  P,  we  write  5  — ►  V'  for  tlu' 
valuation  with  [p](.s)  =  T  if  p  6  {s).  and  [p](.s)  =  ±  if 

Predecessor  operators.  Let  1'  be  a  value  lat¬ 
tice.  Let  P/'c  be  a  family  of  functions  that  contains, 
for  every  game  structure  G,  a  strict  (i.e.,  bottom- 
I)reserving),  monotone,  and  continuous  function  Pre^' : 
[5'^’  — >  V']  — +  [S^'’  — »  V'].  The  function  family  Pre 
is  a  predecessor- 1  operator  on  V'  if  for  every  game 
structure'  G,  every  player-1  restriction  G\  of  G,  ev¬ 
ery  player-2  restriction  G2  of  G',  and  every  valua¬ 
tion  /;  S'-’  V',  both  Pre'''{f)  □  Prc.^''{f)  and 

PT<’^'{f)  E  Prc.^'-{f).  Symmetrically,  the  function 
family  Pre  is  a  pre.dccc.ssor-2  operator  on  F  if  for  every 
game  structure  G,  every  phiycr-1  restriction  Gi  of  G, 
every  player-2  restriction  G2  of  G,  and  every  valuation 
/;  5'^'  — >  I'L  we  have  both  Pre‘''{f)  C  Prc^''(f)  and 
Pre''' [f)  □  Pre^'‘{f).  Intuitively,  the  more  actions  are 
available  to  player  1  in  a  game  structure,  the  “better” 
(i.e.,  closer  to  top  in  the  valuation  lattice)  the  result 
of  applying  a  predecessor-1  operator  to  a  valuation, 
and  the  “worse”  (i.e.,  closer  to  bottom)  the  result  of 
applying  a  predccessor-2  operator. 

Example  1:  boolean  game  structures  (“con¬ 


trol”).  Consider  the  boolean  value  lattice  Vj  — 
(B,  V,A,T,f),  where  truth  T  is  the  top  element  and 
falsehood  F  is  the  bottom  element.  The  valuations 
for  a  game  structure  G  on  Vj.  are  called  the  boolean 
valuations  for  G;  they  correspond  to  the  subsets 
of  5*^.  Figure  1  defines  the  predecessor  operators 
IPrej  and  2Prej.,  applied  to  a  game  structure  G  = 
(5, Fi, F2,  (5,  (•)),  boolean  valuation  /:  5  — >  B,  and 
state  s  6  5.  For  a  set  T  C  5  of  states,  the  boolean 
valuation  lPre^{[r\.  5  — »  B  of  “controllable  prede¬ 
cessors”  is  true  at  the  states  from  which  player  1  can 
force  the  game  into  T  in  a  single  step,  no  matter  which 
action  player  2  chooses.  The  operator  2Prej.  behaves 
symmetrically  for  player  2,  and  therefore  solves  the 
control  problem  for  the  player-2  objective  of  reach¬ 
ing  the  target  set  T  in  a  single  step.  The  operator 
IPre .  is  a  predecessor-1  operator  on  Fit,  and  2Prcj  is 
a  predecessor-2  operator. 

Example  2:  boolean  transition  structures 
(“verification”).  Consider  again  the  boolean  value 
lattice  1',.  Figure  1  defines  the  predecessor  operators 
EPre.^  and  APre.j.  For  a  set  T  C  5  of  states,  the 
boolean  valuation  EPrc^{\r\.  5  B  of  “possible  pre¬ 
decessors”  is  true  at  the  states  that  have  some  succes¬ 
sor  in  F;  the  boolean  valuation  APre^(\T]\  5  — ►  B  of 
“unavoidable  predecessors”  is  true  at  the  states  that 
have  all  successors  in  F.  For  each  game  structure  G, 
the  functions  FFre))  and  APre''{  correspond  to  the 
branching-time  “next”  operators  BQ  '^0>  respec¬ 
tively.  of  temporal  logic  interpreted  over  the  under¬ 
lying  transition  structure  K'-' .  Therefore,  EPre.j  and 
APre-  solve  the  verification  problems  with  the  specifi¬ 
cations  of  possibly  or  certainly  reaching  the  target  set 
F  in  a  single  step.  Tlu'  operators  EPrcj,,  and  AFrc  n:  are 
both  predecessor-1  and  predece.ssor-2  operators  on  14- 

Example  3;  quantitative  game  structures  (“op¬ 
timal  control”).  Consider  the  quantitative  value  lat¬ 
tice  14  =  (K>o  U  {00},  min,  max,  0,  00),  where  0  is 
the  top  element  and  00  is  the  bottom  element.  Intu¬ 
itively,  each  value  represents  a  cost,  and  the  smaller 
the  cost,  the  “better.”  In  particular,  u  C  v  iff  cither 
v,v  6  R>o  and  u  >  v,  or  u  =  00;  that  is,  the  lattice 
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Figure  2:  Quantitative  game  and  transition  predecessor  operators 


(8) 


is  based  on  the  reverse  ordering  of  the  reals.  The  val¬ 
uations  for  a  game  structure  G  on  are  called  the 
quantitative  valuations  for  G;  they  are  the  functions 
from  to  the  interval  [0,oo].  Figure  2  defines  the 
predecessor  operators  IPre^^  and  2Pref,,  applied  to  a 
game  structure  G  =  (S,  Fi,  F2,  ^,  (•)),  quantitative  val¬ 
uation  /:  S  — >  [0, 00],  and  state  s  e  S.  For  a  set 
T  C  S  of  states,  the  quantitative  valuation  lPrej[T]: 
S  — >  [0,  cx)]  gives  for  each  state  the  minimal  cost  for 
player  1  of  forcing  the  game  into  T  in  a  single  step 
(if  player  1  cannot  force  the  game  into  T,  then  the 
cost  is  CX)).  The  operator  2P‘re:f  behaves  symmetri¬ 
cally  for  player  2,  and  therefore  solves  the  optimal- 
control  problem  with  the  player-2  objective  of  reach¬ 
ing  the  target  set  T  in  a  single  step  at  minimal  cost. 
The  operator  IPrey  is  a  predecessor- 1  operator  on  T  >■ , 
and  2Pre  f  is  a  predecessor-2  operator. 

Example  4:  quantitative  transition  structures 
(“optimization”).  Consider  again  the  quantitative 
value  lattice  Fp .  Figure  2  defines  the  predecessor  op¬ 
erators  EPrc  f  and  APre,^..  For  a  set  T  C  5  of  states, 
the  quantitative  valuation  EPre^.\TY.  S  — ►  [O.oo] 
gives  for  each  state  the  weight  of  the  minimal  tran¬ 
sition  into  T  (or  (X),  if  no  such  transition  exists),  and 
APreY[T]:  S  — »  [0,oo]  gives  for  each  state  the  weight 
of  the  maximal  transition  into  T  (or  00,  if  some  tran¬ 
sition  does  not  lead  into  T).  These  are  the  single- 
step  shortest-path  and  single-step  longest-path  prob¬ 
lems  on  the  underlying  transition  structure  A'^'.  The 
operators  EPrej  and  APrey  are  both  predecessor- 1 
and  predecessor-2  operators  on  I'V. 

2.3  Multi-step  verification  and  control 

Multi-step  verification  (“Can  a  target  set  be  reached 
in  some  number  of  steps?”),  optimization  (“What  is 
the  shortest  path  to  the  target?”),  and  control  prob¬ 
lems  (“Can  one  player  force  the  game  into  the  target, 
in  some  number  of  steps,  no  matter  what  the  other 
player  does?”)  can  be  solved  by  iterating  the  single- 
step  solutions  (“dynamic  programming”).  Here,  we 
exemplify  the  solutions  for  the  goals  of  reachability 


and  safety;  more  general  objectives  will  be  dealt  with 
in  Section  4.  In  the  following,  consider  a  game  struc¬ 
ture  G  =  (S, Fi,r2,(5,  (■))  and  a  proposition  p  e  P. 

Reachability.  We  define  Op  to  be  the  set  of  mini¬ 
mal  finite  runs  of  G  that  end  in  a  p-state;  that  is,  the 
run  So(ao,ho)si(ai,6i)...Sm  is  in  Op  iff  (1)  p  £  (s„) 
and  (2)  for  all  0  <  j  <  m,  we  have  p  ^  (sj).  Figure  3 
defines  four  boolean  valuations  in  [5  — »  B].  The  valua¬ 
tion  ((l))'5^0p  is  true  at  the  states  from  which  player  1 
can  control  the  game  to  reach  a  p-state;  the  valua¬ 
tion  ((2))f  Op  is  true  at  the  states  from  which  player  2 
can  control  the  game  to  reach  a  p-state;  the  valuation 
3^fOp  is  true  at  the  states  from  which  the  two  players 
can  collaborate  to  reach  a  p-state;  the  valuation  Vf  Op 
is  true  at  the  states  from  which  no  matter  what  the 
two  players  do,  a  p-state  will  be  reached.  The  first  two 
valuations  specify  boolean  games  with  the  reachability 
objective  Op  for  players  1  and  2,  respectively;  the  last 
two  valuations  specify  the  branching-time  properties 
30p  and  VOp  on  the  underlying  transition  structures. 

Figure  3  also  defines  the  four  corresponding  quan¬ 
titative  valuations  in  [S  [0,oo]];  we  use  the  con¬ 
vention  that  the  infimum  of  an  empty  set  of  nonneg¬ 
ative  reals  is  00,  and  the  supremum  is  0.  The  valu¬ 
ation  ((l))^Op  gives  for  each  state  the  minimal  cost 
for  player  1  to  direct  the  game  to  a  p-state  (or  00,  if 
player  1  cannot  direct  the  game  to  a  p-state);  the  val¬ 
uation  ((2))^' Op  gives  for  each  state  the  minimal  cost 
for  player  2  to  direct  the  game  to  a  p-state;  the  val¬ 
uation  3^0p  gives  for  each  state  the  minimal  cost  to 
reach  a  p-state  if  both  players  collaborate;  the  valu¬ 
ation  V^'Op  gives  for  each  state  the  maximal  reward 
achievable,  if  both  players  collaborate,  before  a  p-state 
is  reached.  The  first  two  valuations  specify  quantita¬ 
tive  games  with  the  reachability  objective  Op  for  play¬ 
ers  1  and  2,  respectively;  the  last  two  valuations  spec¬ 
ify  shortest-path  and  longest-path  problems  on  the  un¬ 
derlying  transition  structure. 

The  boolean  and  quantitative,  valuations  for  the 
reachability  objective  Op  can  be  characterized  by 
least-fixpoint  expressions  on  the  corresponding  valu- 
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Figure  3:  Boolean  and  quantitative  reacliability  games 


ation  lattice: 


iimop  = 

px.  ([p]  U  lPrey{x)), 

(13) 

{{2))\iOp  = 

px.  ([/j]  U  2Pre^{.(x)), 

(14) 

3<iiOp  = 

px.  ([p]  U  EPrc\’-{x)), 

(1.5) 

\/\’Op  = 

px.  ([p]  U  APr4{x)). 

(IG) 

where  V  e  {B, R},  and  the  variable  .r  ranges  over 
the  boolean  valuations  in  [5  — >  B]  if  F  =  B.  and 
over  the  quantitative  valuations  in  [S  [0.  oc]]  if 
V  =  R.  In  other  words,  a  single  fixpoint  expression 
(namely,  “Oy;  =  tix.{p\/  prr.{;r))")  suffices  for  the  solu¬ 
tion  of  boolean  and  ciuantitative  verification  and  con¬ 
trol  problems,  provided  the  pre-operator  is  interiireted 
apjjropriately. 

Fix])oint  expressions  prescrilie  algorithms.  The  so¬ 
lutions  to  the  fixi)oint  equations  (13)  (16)  can  be  com- 
jjiited  iteratively  on  the  valuation  lattice  as  the  limit 
of  a  secpience  .ro,  .ri ,  .tj,  ...  of  valuations:  let  ./'o  =  ±. 
and  for  all  k  >  0,  let  x^.+i  =  [p]  U  Prey{.ri,),  wlu'ie 
Pre  G  {IPrc,  2Prc.,  EPre,  APre) .  For  our  four  exam- 
I)le.s,  the  iteration  converges  in  a  finite  number  of  steps. 
This  is  well-known  in  the  case  of  boolean  game  struc¬ 
tures  and  in  the  case  of  quantitative  transition  struc- 
ttires;  finite  convergence  can  be  shown  inductivelv  also 
for  quantitative  game  structures. 

Safety.  The  comi)lement  of  a  reachability  objective' 
is  a  safety  objective.  We  define  Dp  to  be  the  set  of 
infinite  runs  of  the  game  structure  G  that  never  h'ave 
p-states;  that  is,  the  run  .so(e() ,  fio)'‘'’i  ("i ,  fq ) . . .  is  in  Op 
iff  p  G  (.Sj)  for  all  j  >  0.  Figure  4  defines  tlu'  boolean 
and  quantitative  valuations  for  the  safety  objective 
□p.  For  example,  the  boolean  valuation  ((l))0'np  is 
true  at  the  states  from  which  player  1  can  control  the 
game  to  stay  within  p-states;  the  quantitative  valua¬ 
tion  3'}' Dp  gives  for  each  state  the  minimal  cost  of  an 
infinite  path  that  stays  within  p-states;  the  boolean 


valuation  Vl'Dp  is  true  at  the  states  from  which  p  is 
an  invariant. 

The  boolean  and  quantitative  valuations  for  the 
safety  objc'ctive  Dp  ran  be  characterized  by  grc'atest- 
fix])oint  expressions  on  the  corrc'sponding  valuation 
lattice: 

({l))(’Dp  =  mr.  ([p]n  ;Frc(’:(.r)).  (21) 

((2))('np  =  u.r.  (\p]n2Prc^:{.v)).  (22) 

3('Dp  =  U.V.  {[p]n  EPr4 {.,■)) ,  (23) 

v('’ap  =  U.V.  ([p]  n  A Prv^; {.,■)).  (24) 

whert'  1  G  {E.  R}.  Tlu'  solutions  to  tlu'se  fix])oint 
('(piations  can  again  be  comi)nt('d  it('ratively  as  tlu' 

limit  of  a  secnience  ./'o .  ,/■  i .  ./■_> -  of  valuations:  let 

.Cii  =  T.  and  for  all  k  >  0.  let  .;■*.+ 1  =  [p]  D  PiTy[.r^.). 
This  it('ration  con\’('rges  for  booh'an  game  structures 
ill  a  finite  number  of  stejis.  but  not  necessarily  for 
qiiantitativi'  game  or  transition  structures,  whi'ic'  con¬ 
vergence  may  retinire  nmny  steps. 

3  An  Extremal  Model  Theorem 

For  verificiition  ])roblems.  fix])oint  sfilutioiis  art'  known 
for  much  richer  objt'ctives  ( "s])('cifications” )  than 
rt'achability  and  safi'ty.  and  a  fixjtoint  tlu'ory  tlu' 
//-calculus  is  availablt'  for  this  pur])os('.  In  the 
case  of  retichability  and  safi'ty,  the  fix])oint  ex])r('s- 
sions  we  ])rovidt'd  (namely.  Op  =  //./•.  (p  V  prc(.f))  and 
□p  =  vx.  (p  A  prr.{x)))  solvt'  both  tht'  vt'rification  and 
control  problems.  This  is  not  always  the  case:  as  we 
pointed  out  in  the  introduction,  there  are  fixitoint  t'x- 
jiressions  that  solve  a  verification  problt'in  over  tran¬ 
sition  structures,  but  do  not  solve  the  corresponding 
control  problem  over  game'  strtictnres.  W('  now  char¬ 
acterize  the  fixitoint  exitressions  that  solve'  both  verifi- 
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Figure  4:  Boolean  and  quantitative  safety  games 


cation  and  control  problems,  provided  the  predecessor 
operators  are  interpreted  appropriately. 

3.1  Linear  temporal  logic 

Consider  a  game  structure  G  =  (5, ri,r2,6  (•))•  We 
express  winning  objectives  for  the  infinite  game  played 
on  G  by  formulas  of  linear  temporal  logic  (LTL).  The 
LTL  formulas  are  generated  by  the  grammar 

^  ::=  p  I -■'4' I  $  V  5' lO'J' I 

where  p  G  P  is  a  proposition, Q  is  the  “next”  operator, 
and  U  is  the  “until”  operator.  Additional  constructs 
such  as  =  tU^  and  □5'  =  can  be  defined 

in  the  standard  way.  A  trace  n:  to  —y  2^  is  an  infinite 
sequence  of  sets  of  propositions.  Every  LTL  formula 
$  has  a  truth  value  on  each  trace.  We  write  L($)  for 
the  set  of  traces  that  satisfy  4';  a  formal  definition  of 
£('4')  can  be  found  in  [9]. 

Boolean  LTL  games.  Every  infinite  run  r  = 
soiao,bo)si{ai,bi)s2  ■  ■ .  of  the  game  structure  G  in¬ 
duces  a  trace  (r)  =  (so){si)(s2) . . .  Consider  a  state 
s  e  S  and  an  LTL  formula  4'.  We  say  that  player  1 
can  control  state  s  for  objective  4*  in  the  game  struc¬ 
ture  G  if  player  1  has  a  strategy  6  G  Hi  such  that  for 
all  strategies  6  G  H2  of  player  2,  the  trace  induced 
by  the  outcome  of  the  game  satisfies  the  formula 
that  is,  (P^j_^j(s))  G  £(4').  A  suitable  strategy  6  is  a 
winning  player-1  strategy  for  4"  from  s  in  G.  We  write 
((l))j  4':  5  — >  B  for  the  boolean  valuation  that  is  true 
at  the  states  which  can  be  controlled  by  player  1  for 
4"  in  G;  see  Figure  5.  The  player-2  winning  valuation 
((2))f  4'  is  defined  symmetrically.  Figure  5  also  defines 
the  boolean  valuation  3f  4':  5  -+  B,  which  is  true  at 
the  states  that  satisfy  the  existential  CTL*  formula 
34”  in  the  underlying  transition  structure  K^-,  and 
the  boolean  valuation  Vf  4':  5  B,  which  is  true  at 
the  states  that  satisfy  the  universal  CTL*  formula  V4' 
in  K'^. 


Quantitative  LTL  games.  By  ((1))®4'  we  wish  to 
denote  the  minimal  cost  for  player- 1  to  achieve  the  ob¬ 
jective  4'.  Recall  the  previous  section.  In  reachability 
games,  we  compute  the  cost  of  winning  as  the  weight 
of  a  finite  run  that  reaches  the  target,  while  in  safety 
games,  the  cost  of  winning  is  the  weight  of  an  infi¬ 
nite  run.  This  is  because  upon  reaching  the  target,  we 
know  that  the  reachability  objective  is  satisfied,  while 
a  safety  objective  can  be  witnessed  only  by  the  entire 
infinite  run  generated  by  a  game.  We  generalize  this 
principle  to  arbitrary  LTL  formulas  by  defining  the 
satisfaction  index  of  a  trace  with  respect  to  an  LTL 
formula.  Given  a  trace  vr  =  7ro7ri7r2 . . .  and  a  nonnega¬ 
tive  integer  k,  the  trace  tt'  =  ...  is  a  k-variant 

of  TT  iff  ■Kj  =  tt'  for  all  0  <  j  <  k.  Let  A(7r,  k)  be 
the  set  of  fc-variants  of  tt.  For  a  trace  tt  and  an  LTL 
formula  4,  the  satisfaction  index  k{7t,  4)  is  the  small¬ 
est  integer  A:  >  0  such  that  A(7r,fc)  C  £(4)  if  such 
a  k  exists,  and  «(7r,4)  =  00  otherwise.  Intuitively, 
«;(7r,  4)  the  minimal  number  of  steps  after  which  we 
can  conclude  that  the  trace  tt  satisfies  the  formula  4. 

For  an  infinite  run  r  and  a  nonnegative  integer  fc, 
let  r[0..A;]  be  the  the  prefix  of  r  that  contains  k  states. 
Given  an  LTL  formula  4,  the  quantitative  valuation 
{(1))^4:  S  — »  [0,oo]  is  formally  defined  in  Figure  5. 
For  each  state  s  G  5,  we  say  that  ((l))^’4(s)  is  the 
player-1  value  of  the  game  with  objective  4  at  the  state 
s  of  the  game  structure  G.  A  strategy  6  that  attains 
the  infimum  is  an  optimal  player-1  strategy  for  4  from 
s  in  G.  The  player-2  valuation  ((2))^4  is  defined  sym¬ 
metrically.  Figure  5  also  defines  the  quantitative  val¬ 
uation  3-^4:  5  — >  [0, 00],  which  for  each  state  s  gives 
the  minimum  cost  necessary  for  determining  that  some 
path  from  s  in  the  underlying  transition  structure 
satisfies  4  (or  00,  if  no  such  path  exists).  Dually,  the 
valuation  Vj4:  5  — »  [0, 00]  gives  for  each  state  s  the 
maximal  reward  attainable  along  some  path  from  s  in 
until  4  can  no  longer  be  violated. 
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Figure  5:  Boolean  and  quantitative  LTL  games 


3.2  Fixpoint  calculi  for  games 

We  define  a  family  of  fixpoint  logics  on  game  struc¬ 
tures.  The  fixpoint  formulas  arc  generated  by  the 
grammar 

ip  ::=  p  I  -ip  I  X  I  9  V  ip  I  A  ¥3  I 

prfi]((p)  I  pre.fip)  \  p.r.ip  |  vx.ip, 

for  propositions  p  £  P  and  variables  .t.  A  fixpoint 
formula  p  is  a  ona.-phyr.r  formula  if  either  it  contains 
no  p7r!.2-oi)erator,  or  it  contains  no  prcj -operator.  In 
the  former  case,  (p  is  a  player-1  formula;  in  the  tatter 
case,  a  pln.yr.r-2  formuda.  Given  a  value  lattice  \\  a 
I)redec('ssor-l  optu-ator  Prci  on  V',  and  a  predecessor- 
2  operator  Pre.-i  on  F,  the  closed  fixpoint  formulas 
form  a  logic  on  game  structures:  for  every  game  struc¬ 
ture  G,  every  closed  fixi)oint  formula  p{Prc.j ,  Prc-y) 
specifies  a  valuation  S'-’  — »  V.  The  syntac¬ 

tic  operator  pre^  is  interpreted  semantically  as  the 
])redecessor-l  operator  PrC[,  and  pre.,  is  interpreted 
as  Pit.).  To  make  the  interpretation  of  the  pre- 
operators  exi)licit,  we  sometimes  write  p{Prc\ ,  Preo) 
when  naming  a  fixpoint  formula.  Then,  p{Prr.[,  Pre',) 
describes  the  syntactically  identical  fixpoint  formula, 
with  the  p7'C]-o])erator  interpreted  as  Prc\,  and  pre., 
interpreted  as  Prc^.  Likewise,  the  one-player  formulas 
have  only  a  single  predecessor  operator  as  argument. 

We  now  define  the  semantics  of  fixpoint  formulas 
formally.  Let  V  be  a  value  lattice  V',  let  Prci  be 
a  predecessor- 1  operator  on  V,  and  let  Pre-y  bo  a 
predecessor-2  operator  on  F.  Let  G  be  a  game  struc¬ 
ture.  A  variable  environment  E  for  G  is  a  function  that 
maps  every  variable  x  to  a  valuation  in  [S^’  — >  F].  We 
write  E[x  /]  for  the  function  that  agrees  with  E  on 
all  variables,  except  that  x  is  mapped  to  the  valua¬ 
tion  /.  Given  V',  Prc\,  Pre-y,  G,  and  a  variable  envi¬ 
ronment  E  for  G,  each  fixpoint  formula  p  specifies  a 
vahiation  Ip]^’:  So  — >  V,  which  is  defined  inductively 
by  the  following  equations: 


Ms  =  bl 

hplF  =  -b] 

|j.jG  _ 

I<Fi{A}<F2lg  =  Ipilf  {n}  IP2IF 

}(v^)iF  = 

=  {□}{/:  5"’' -F  I /=!<.„/,} 

All  right-hand-side  (semantic)  operations  are  per¬ 
formed  on  the  valuation  lattice  [S^-’  F].  If  p  is 

a  closed  formula,  then  [p|‘’’  =  fp]^'  for  any  variable 
environment  E. 

Provided  that  the  predecessor  operators  Prci  and 
Prr.  y  on  F  are  computable,  each  formula  p{Prci ,  Pre-^) 
prescribes  a  dynamic  i)rogrnm  for  computing  the  val¬ 
uation  IpI*^'  over  a  game  structure  G  by  iterative  ap¬ 
proximation. 

Example:  mu-calculus.  Choose  the  boolean  value 
lattice  IF,  and  the  predecessor  operators  Prci  = 
EPre-  and  Pre-z  =  APre.’n.  The  resulting  logic  on 
game  structures  coincides  is  the  //.-calculus  [8]  on  the 
underlying  transition  structures. 

Example:  boolean  game  calculus.  Choose  the 
boolean  value  lattice  V-h,  and  the  predecessor  opera¬ 
tors  Prci  =  IPrcit  and  Pjcy  =  2Pre\i..  The  result¬ 
ing  logic  on  game  structures  is  the  alternating-time 
//-calculus  of  [1].  The  player-/  fragment,  for  /  =  1,2, 
is  expressive  enough  to  compute  the  winning  states  for 
player  i  with  respect  to  any  LTL  objective. 

Example:  quantitative  game  calculus.  Choose 
the  quantitative  value  lattice  Vy,  and  the  predeces¬ 
sor  operators  Prci  =  IPrCf  and  Pre-y  =  2Pre  f .  The 
resulting  logic  may  be  called  the  quantitative  game 
calculus.  We  shall  sec  that  the  player-/  fragment,  for 
'/  =  1,2,  is  expressive  enough  to  compute  all  player-/ 
values  with  respect  to  any  LTL  objective. 

Example:  quantitative  mu-calculus.  Choose  the 
quantitative  value  lattice  Fp ,  and  the  predecessor  op- 
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erators  Prei  =  EPrej:  and  Pre-i  =  APrey  .  The  result¬ 
ing  logic  may  be  called  the  quantitative  fi-calculus.  It 
can  be  used  to  compute,  for  example,  the  minimal  and 
maximal  weights  of  paths  that  satisfy  LTL  formulas  in 
transition  structures. 

Monotonicity.  The  following  monotonicity  property 
of  fixpoint  formulas  will  be  useful. 

Lemma  1  For  every  game  structure  G,  every  1- 
restriction  Gi  of  G,  every  2-restriction  G2  of  G,  and 
every  player-1  fixpoint  formula  if,  we  have  □ 

and  C  A  symmetrical  result  holds 

for  player-2  formulas. 

Lean  fixpoint  formulas.  We  shall  use  fixpoint  for¬ 
mulas  as  algorithms  for  computing  the  values  of  LTL 
games.  The  quantitative  interpretation  of  a  fixpoint 
formula,  however,  does  not  take  into  account  the  sat¬ 
isfaction  index  of  the  corresponding  LTL  formula,  and 
may  compute  the  cost  of  a  trace  even  beyond  the  sat¬ 
isfaction  index.  For  example,  the  LTL  formula Qt  has 
the  satisfaction  index  0,  because  every  state  has  a  suc¬ 
cessor.  Hence  Q  t)(s)  =  0  for  all  game  structures 
G  and  states  s  e  S'-’ .  While  3^'0  T  =  |PPre:i(:(T)|*’’ 
for  all  game  structures  G,  if  s  €  S'-’  is  a  state  all  of 
whose  outgoing  transitions  have  positive  weights,  then 
[PPre;B  (t)|‘-'(s)  >  0.  This  motivates  the  definition  of 
lean  fixpoint  formulas.  A  fixpoint  formula  (p  is  valid  if 
for  every  game  structure  G  and  every  state  s  €  S'-’ ,  we 
have  lip{lPre\<i:.,  2Prex.)]'-’ {s)  =  T.  A  fixpoint  formula 
is  lean  if  no  valid  subformula  contains  pre-operators. 

From  now  on  we  will  make  heavy  use  of  the  following 
convenient  notation.  If  and  g'-'  are  two  families 
of  valuations,  one  each  for  every  game  structure  G, 
then  we  write  f  =  g  short  for  =  g'^  for  all  game 
structures  G.” 

Lemma  2  Let  be  an  LTL  formula,  and  let  ip  be 
a  lean  one-player  fixpoint  formula.  Then  3#$  = 
|(p(PPre;a:)|  iff  3;p:^'  =  [p{EPre:f)l,  = 

|(p(APre;R)l  =  {^{APrey)}. 

3.3  From  verification  to  control: 
a  semantic  criterion 

The  following  theorem  characterizes  the  fixpoint  for¬ 
mulas  that  can  be  used  for  solving  boolean  as  well  as 
quantitative  games  with  LTL  winning  objectives.  The 
characterization  reduces  problems  on  two-player  strnc- 
tures  (control)  and  on  quantitative  structures  (opti¬ 
mization)  to  problems  on  boolean  one-player  struc¬ 
tures  (verification),  which  are  well-understood. 


Theorem  1  For  every  LTL  formula  if  and  every  lean 
player-i  fixpoint  formula  p>,  where  i  =  1,2,  the  follow¬ 
ing  four  statements  are  equivalent: 

•  {{*))* '5'  =  iTi^Proj)}. 

•  ((*))s^  =  Ipi'iPrej)}. 

•  djif  =  lp{EPrey:)]  and  V®?'  =  \p{APrey)\. 

•  3]iif  =  lp{EPres.)l  andYs.'^  =  {ipiAPrej)}. 

The  theorem  can  be  stated  equivalently  as  follows: 

{{i))y  '^  =  IjpliPreyfjY’  for  all  game  struc¬ 
tures  G  iff  {{i))j,^  —  |(p(fPrei)|‘^  for  all  one- 
player  structures  G. 

In  other  words,  the  fixpoint  formula  p  prescribes  an 
algorithm  for  computing  the  boolean  or  quantitative 
values  of  games  with  the  winning  objective  iff  it  does 
so  on  all  boolean,  extremal  game  structures,  where  one 
or  the  other  player  has  no  choice  of  actions. 

Proof  sketch.  Clearly,  a  fixpoint  formula  p  that 
solves  games  with  objective  also  works  over  one- 
player  structures,  which  are  special  cases  of  games. 
For  the  implication  from  one-player  to  game  struc¬ 
tures,  we  argue  by  contradiction.  We  start  with  the 
boolean  player-1  interpretation  (the  proof  for  player  2 
is  symmetric).  First  we  notice  that  given  a  game 
structure  G  for  which  the  two  valuations  ((l))f'^ 
and  \p{lPrej)Y’  differ,  we  can  construct  a  turn- 
based  game  structure  G'  for  which  the  valuations  dif¬ 
fer  as  well.  There  are  two  cases.  If  ((l))f'$(s)  < 
|<p(lPre:ii:)]‘^’'’(s)  for  some  state  s  €  S®’,  then  we  fix  a 
finite-memory  optimal  strategy  of  player  2  and  show 
that  in  the  resulting  player-1  structure  Gi,  there  is  a 
state  t  such  that  (3°'5')(<)  <  {p{EPrej)\'^^{t).  Sim¬ 
ilarly,  if  ((l))f  $(s)  >  |:/j(lPre;ii:)J‘^  (s)  for  some  state 
s  G  S'-'  ,  then  we  fix  a  finite-memory  optimal  strategy 
of  player  1  and  argue  on  the  resulting  player-2  struc¬ 
ture.  The  proof  for  quantitative  games  follows  by  a 
similar  argument.  Finally,  we  go  from  quantitative  to 
boolean  structures  using  Lemma  2.  □ 

Suppose  we  are  given  an  LTL  formula  fh.  For  ver¬ 
ifying  whether  some  path  of  a  transition  structure 
K'^  satisfies  we  can  construct  a  p-calculus  formula 
piEPrej.)  that  is  equivalent  to  3;it$  over  all  transition 
structures,  and  check  p{EPreM)  over  K'^;  this  is,  in 
fact,  a  symbolic  model  checking  algorithm  for  LTL  [3]. 
Now  suppose  that  we  want  player  1  to  control  the 
game  structure  G  for  the  objective  fk.  Theorem  1  tells 
us  whether  we  can  simply  substitute  the  controllable 
predecessor  operator  IPrej  for  the  /t-calculus  prede¬ 
cessor  operator  EPre  ts.  in  the  fixpoint  formula  p:  the 
substitution  works  if  and  only  if  by  substituting  APrey 
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for  EPrcj  in  (f  we  obtain  a  formula  that  is  equivalent 
to  the  universal  interpretation  V  n  ^  of  the  LTL  formula 
over  all  transition  structures. 

To  see  that  this  property  is  not  trivial  (i.e.,  not 
satisfied  by  every  /r-calculus  formula  ip{EPrei)  that 
is  equivalent  to  Ba'f'),  consider  the  co-Biichi  formula 
=  OOp.  Over  transition  structures,  BODp  is 
equivalent  to  303Qp,  which  is  equivalent  to  the  /t- 
calculus  formida  iix.{vy.[p  A  EPrC  fXy))  V  EPref,{x)); 
indeed,  this  is  the  result  of  the  standard  transla¬ 
tion  from  LTL  to  the  /r-calculus  for  co-Biichi  formu¬ 
las  [7,  4],  However,  the  corresponding  game  formula 
l.i.x.[vy.{p  \Pre%{y))  V  lPren{x))  does  not  compute 
the  boolean  valuation  ((l))^Onp  for  all  game  struc¬ 
tures  G:  the  game  structure  given  in  the  introduction 
provides  a  counterexample.  The  criterion  of  Theo¬ 
rem  1  fails,  because  over  transition  structures,  V-ODp 
is  not  equivalent  to  VOVD/;,  and  therefore  V^'I'  is  not 
equivalent  to  px.{i^y -{p  APre  ^{y))y  APrc  This 
is  not  surprising,  given  that  the  solution  of  c^'-regular 
games  reqtiires  deterministic  (and  hence  Rabin  chain) 
tj-autornata  [15],  whereas  nondeterministic  (and  hence 
Biichi)  cj-automata  suffice  for  w-rc'gular  verification. 
The  translations  of  [7,  4]  from  LTL  to  the  /(-calculus  go 
via  nondeterministic  Biichi  automata,  and  thus  can¬ 
not  b('  used  to  solve  a;-regular  games. 

The  following  theorem  characterizc's  the  cost  of 
ch(!cking  tin'  criterion  given  in  Theorem  1.  There  is  a 
gap  bch.ween  the  lower  and  up])('r  bounds,  which  is  diu' 
to  the  gap  between  the  best  known  lower  and  u])per 
bounds  for  the  eciuivalence  ])robleni  b('tw('en  aii  LTL 
formula  and  a  //-calculus  formula. 

Theorem  2  Let  4/  be  an  LTL  formula,  and  let  -p 
he  a  one-player  fixpoint  formula.  The  complexity  of 
eheekiny  vihe.ther  3[):'I'  =  lys]]  is  in  2EXPTIME  and 
PSPACE-hard  in  the  size  of  4',  and  in  EXPTIME 
in  the  size  of  ip.  The  complexity  of  eheekiny  whether 
Vji  'I'  =  [(/?]  is  the.  same. 

3.4  From  verification  to  control: 
a  syntactic  criterion 

Not  all  fixijoint  formulas  correspond  to  verification 
or  control  problems  with  respect  to  linear-time  objec¬ 
tives.  This  is  always  the  case,  however,  for  the  (h'ter- 
ministic  fixpoint  formulas.  The  deterministic  fix])oint 
formulas  are  generated  by  the  grammar 

p  ::=  p  \  ^p  \  X  \  pM  p  \  p  f\  p  \  -^p  f\p  \ 

preXp)  I  pre-yip)  I  P-r.p  \  rx.p. 

From  [6]  we  know  that  if  p{EPrC  f)  is  a  one-player  de¬ 
terministic  fixpoint  formula,  then  there  is  an  w-regular 
language  0  such  that  3b:0  =  \piEPre.^)l.  However, 


the  examples  (2)  and  (3)  in  the  introduction  illustrate 
that  for  such  a  formula  piEPrCf,),  in  general  it  is  not 
the  ca.se  that  ((l)):ii.0  =  [pilPrej,)}.  In  other  w'ords, 
the  correspondence  between  the  deterministic  fixpoint 
formula  and  the  w-rcgular  language  does  not  necessar¬ 
ily  carry  over  from  verification  to  control.  It  is  then 
natural  to  ask  what  other  conditions  we  need,  in  addi¬ 
tion  to  determinism,  for  a  one-player  fixpoint  formula 
to  have  related  meanings  in  verification  and  control. 
We  answer  this  question  by  introducing  a  subclass  of 
the  deterministic  formulas.  A  fixpoint  formula  p  is 
stronyly  deterministic  iff  p  consists  of  a  string  of  fix- 
point  quantifiers  followed  by  a  quantifier-free  part  Vh 
which  is  generated  by  the  grammar 

V  P  I  I  '0  ^  if’  I  P  A  I  ^p  A  V>  | 

pre-iix)  I  pre-zix), 

\  T  I  X  V  X, 

Note  that  every  strongly  deterministic  fixpoint  for¬ 
mula  is  le/iu.  Tlu'  following  tln'orcuii  shows  that 
the  one-player  strongly  deterministic  fixi)oint  formu¬ 
las  ))rovide  a  syntiictic  chiss  of  fixi)oint  formuhis  for 
which  the  crit/'rion  of  Thc'orem  1  api)lies.  In  j/artic- 
ular.  it  follows  that  for  ('vc'ry  LTL  formula  'L,  ('very 
oiK'-phiver  strongly  deterministic  fixi)oint  formuhi  p. 
and  i  =  1.2.  w('  luive  ((/)}.  4'  =  lp{iPre,  )|. 

Theorem  3  For  every  LTL  formula  and  every  one- 
player  stronyly  deterministic  fixpoint  formula  p.  we 
have  3.4-=  '{piEPre  . )]  iffV  .  4'  =  ip(A  Per. .  )I . 

Proof  sketcli.  .\  strongly  (h'terministic  formuhi 
starts  with  ;i  (iuantifi('r  prc'fix.  In  tlu'  secpK'iici' 
liXf  .nx-y . . .  i/.r-yv  of  ;dt('rnating  fixpoints.  the  “ev;ilu;i- 
tioii  order"  is  ./■■_>  >-  .r  i  V  •  •  •  .''jA  -i  ./'i 

(this  reflects  the  extension  of  the  vari/ibh'S  when  tlu' 
ex])r('.ssion  is  bt'ing  ('valu;it('d).  Using  this  evaluation 
orch'r.  every  one-])layer  strongly  deti'rministic  fixpoint 
formula  p{EPre.)  can  be  brought  into  the  nonmil 
form  //.T)  .ux-y  . . .  nx-2^..{d[)  V  Vjii  (^0  A  EPre  --.{xj))).  for 
some  A'  >  0  and  some  mutually  exclusive  book'an  com¬ 
binations  (■/().  <li . . . . .  d-2r  of  ]U'0]K)sitions.  Tlu'  tlu'orem 
follows  from  the  fact  that  this  formuhi  has  essentially 
the  same  structure  as  tlu'  solution  formula  of  a  R;d)in- 
chain  game  (cf.  [5]  and  Section  4).  □ 

While  the  one-jihiyer  strongly  deterministic  fixpoint 
formulas  obey  strict  syntactic  conditions,  the  jiroof  of 
Tln'orem  3  shows  that  tlu'y  suffice  for  solving  all  con¬ 
trol  problems  with  Rabin-chain  objectives.  In  turn, 
every  li-'-regular  property  can  be  specific'd  by  a  de¬ 
terministic  Rabin-chain  automaton  [10,  15].  We  can 
therefore  transform  every  control  problem  with  an  lo- 
regular  objective  into  a  control  ])roblem  with  a  Rabin- 
chain  objective  that  is  to  be  solvt'd  on  the  /lutomata- 
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theoretic  product  of  the  given  game  structure  and  a 
Rabin-chain  automaton.  Hence,  at  the  cost  of  possibly 
enlarging  the  game  structure,  the  one-player  strongly 
deterministic  fixpoint  formulas  suffice  for  the  solution 
of  games  with  arbitrary  w-regular  objectives. 

4  Dynamic  Programs  for  LTL 

We  show  that  for  every  LTL  formula  we  can  con¬ 
struct  an  equivalent  fixpoint  formula  that  meets 
the  criterion  of  Theorem  1.  The  formula  has  the 
following  properties:  it  solves  both  the  verification 
problem  (on  transition  structures)  for  specification 
and  the  control  problem  (on  game  structures)  for  ob¬ 
jective  both  under  boolean  and  quantitative  in¬ 
terpretations.  The  construction  of  is  optimal  for 
the  boolean  case,  in  that  the  2EXPTIME  complexity 
of  the  resulting  algorithm  for  solving  boolean  games 
with  LTL  objectives  matches  the  hardness  of  the  prob¬ 
lem  [11]. 

4.1  (Co)Buchi  and  Rabin-chain  games 

The  objective  of  a  Biichi  game  is  an  LTL  formula  of 
the  form  nOp,  for  a  proposition  p  G  P,  and  the  objec¬ 
tive  of  a  co-Biichi  game  is  an  LTL  formula  of  the  form 
ODp.  For  V  =  {B,  R}  and  i  =  1,2,  the  Biichi  and 
co-Biichi  valuations  can  be  computed  by  the  fixpoint 
formulas 

((i))ynOp  =  lvy.pLX.{iPrev{x)\/  {p  /\iPrev{y)))\, 
((i))yOnp  =  \p,x.vy.{iPrev{x)\/  {p  MPrev{y)))\- 

The  objective  a  Rabin-chain  game  is  an  LTL  formula 
of  the  form  $  =  A -'□Od2j+i),  where 

A;  >  0  is  called  the  index  of  $,  and  do,...,d2k  are 
boolean  combinations  of  propositions  such  that  0  = 
[d2k]  C  [d2k-\\  C  •  •  •  C  [do]  =  S'^  for  all  game  struc¬ 
tures  G.  An  alternative  characterization  of  Rabin- 
chain  games  with  objective  $  can  be  obtained  by 
defining  a  family  5*^  — >  {0, 1, . . . ,  2A;  -  1}  of  in¬ 
dex  functions,  one  for  every  game  structure  G,  such 
that  H$(s)  =  j  for  all  states  s  £  [dj]  \  [dj+i].  Given 
an  infinite  run  r  of  G,  let  Inf{r)  C  S'^  be  the  set 
of  states  that  occur  infinitely  often  along  r,  and  let 
Maxlndex{n^,r)  =  max{nf(s)  ]  s  G  Inf{r)}  be  the 
largest  index  of  such  a  state.  Then,  the  run  r  satis¬ 
fies  the  objective  #  iff  Maxlndex{fl(p,r)  is  even.  For 
E  £  B,  R  and  i  =  1,2,  the  Rabin-chain  valuation  can 
be  computed  by  the  fixpoint  formula 

((f))v#  =  lX2k-lX2k-l--PXiMXo. 

A  -^dj+i  AiPrev{xj))j, 


where  Xj  =  y  if  j  is  even,  and  Xj  =  p  ii  j  is  odd 
(cf.  [5]).  Note  that  the  fixpoint  solutions  for  Biichi, 
co-Biichi,  and  Rabin-chain  games  are  all  one-player 
strongly  deterministic  fixpoint  formulas. 

4.2  LTL  games 

Given  an  LTL  formula  "S',  we  construct  a  lean  one- 
player  fixpoint  formula  such  that 

{(i))v^  =  Ip^(iFrey)l  (29) 

for  V  £  {B, R}  and  i  =  1,2.  Following  [5,  10],  our 
construction  is  based  on  deterministic  Rabin-chain  au¬ 
tomata  (also  called  parity  automata  [14]).  A  Rabin- 
chain  automaton  of  index  k  over  the  input  alphabet 
2^  is  a  tuple  C  =  {Q,Qo,  A,  where  Q  is  a  fi¬ 

nite  set  of  states,  Qo  C  (J  is  the  set  of  initial  states.  A: 
<5  ^  2®  is  the  transition  relation,  (•):  Q  — >  2-^  assigns 
propositions  to  states,  and  fl:  Q  ^  {0, . . . ,  2fc  -  1}  is 
the  acceptance  condition.  An  execution  of  C  from  a 
source  state  qo  €  Q  is  an  infinite  sequence  go9i92  ■  •  ■  of 
automaton  states  such  that  qj+i  £  A{qj)  for  all  j  >  0; 
if  Qo  €  Qo,  we  say  that  the  execution  is  initialized. 
The  execution  e  =  9o9i92  •  •  •  is  generated  by  the  trace 
(e)  =  (?o)(9i)(92)  •  •  ••  The  execution  e  is  accepting  if 
MaxIndex{Q,e)  is  even.  The  language  L{C)  is  the  set 
of  traces  tt  such  that  C  has  an  initialized  accepting 
execution  e  generated  by  tt.  The  automaton  C  is  de¬ 
terministic  and  total  if  (la)  for  all  states  q',  q”  £  Qo,  if 
q'  ^  q”,  then  (g')  ^  (g");  (lb)  for  all  proposition  sets 
P'  C  P,  there  is  a  state  g'  £  Qo  such  that  (g')  =  P'; 
(2a)  for  all  states  g  £  Q  and  g',g"  £  A(g),  if  g'  ^  g", 
then  (g')  ^  (g");  (2b)  for  all  states  q  €  Q  and  all 
proposition  sets  P'  C  P,  there  is  a  state  g'  £  A(g) 
such  that  (g')  =  P'.  If  C  is  deterministic  and  total, 
then  we  write  A(g,  P')  for  the  unique  state  g'  £  A(g) 
with  (g')  =  P'. 

From  the  LTL  formula  if,  we  construct  a  determinis¬ 
tic,  total  Rabin-chain  automaton  C^j,  such  that  L('I')  = 
L(C^r),  by  first  building  a  nondeterministic  Biichi  au¬ 
tomaton  with  the  language  L($)  [16],  and  then  deter- 
minizing  it  [12,  13].  Let  =  (Q,  Qo,  A,  (■),  G).  In 
order  to  obtain  a  lean  fixpoint  formula  we  need 
to  compute  the  set  P  C  Q  of  automaton  states  g  such 
that  all  executions  with  source  g  are  accepting.  To 
this  end,  it  suffices  to  compute  the  set  Q  \  P  of  states 
g'  such  that  there  is  an  execution  e  with  source  g'  and 
Maxlndex{n' ,  e)  is  even,  where  G'  is  the  complemen¬ 
tary  acceptance  condition  with  G'(g)  =  (2A;  — 1)  — G(g) 
for  all  states  g  £  Q.  This  corresponds  to  checking  the 
nonemptiness  of  a  Rabin-chain  automaton  [5]. 

We  derive  the  fixpoint  formula  that  satisfies 
(29)  in  two  steps.  First,  we  build  a  fixpoint  for- 
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mula  ip'  that  solves  the  game  w'ith  objective  on 
the  product  structure  G  y.  C,  for  all  game  struc¬ 
tures  G.  From  <p' ,  we  then  construct  the  for¬ 
mula  that  solves  the  game  directly  on  G,  for 
all  G.  Consider  an  arbitrary  game  structure  G  = 
(5,ri,r2,<5,(-)).  Define  G  x  c  =  (•)), 

where  S'  =  {(.s,?)  £  5  x  Q  |  (s)  =  (?)},  where 
r'(,s,q')  =  ri(s)  for  i  =  1,2,  where  6'{{s^q),ai,a2)  = 
(5(,s,ai,a2),  A((/,  ((5(s,ai,a2)))).  Finally,  for  g  ^  F 
let  {s,q)  -  (s)  U  {cn(,)},  and  for  q  e  F  let  {s,q)  - 
(s)  U  {/,cn(,)},  where  /,  cq,  . . . ,  C2a.-i  are  new  propo¬ 
sitions. 

We  construct  if'  by  proceeding  similarly  to  [2].  We 
give  the  fixpoint  formula  (p'  in  equational  form;  it 
can  then  be  unfolded  into  a  nested  fixpoint  formula 
in  the  standard  way.  The  formula  ip'  is  composed 
of  blocks  By, . . . ,  1  where  By  is  the  innermost 

block  and  the  outermost  block.  The  block 

Bg  is  a  //-block  which  consists  of  the  single  equation 
3^0  =/  V  Vj=o^(<^j  ^  Pre^{xj))).  For  0  <  f  <  2k  -  1, 
the  block  B^  is  a  /t-block  if  (  is  odd,  and  a  //-block  if 
(.  is  even;  in  either  case  it  consists  of  the  single  equa¬ 
tion  X(  —  Xf-i-  The  output  variable  is  X2a-i-  Then, 
(((l))'J''I')(.s)  =  fi,?' (IBre 3 )J ‘^'*^^’(.5,(7)  for  all  states  .s  € 
S  and  for  the  unique  q  S  Qo  such  that  (s,q)  €  S'. 

The  formula  ipni  mimics  on  G  the  evaluation  of  ip'  on 
G  X  C.  For  each  variable  X(  of  tp',  for  0  <  f  <  2A-  —  1, 
the  formula  ifxi,  contains  the  set  {xjl  |  q  €  Q}  of 
variable's:  the  value  of  x'l  at  ,s  keeps  track  of  the 
value  of  X(  at  (.s,/;).  The  formula  ^vj,  is  conij/osed 
of  th(!  blocks  Bo, ... ,  Bo/.-i :  for  0  <  f  <  2A'  -  1,  the 
block  Bt  consists  of  the  set  {EJ  \  q  €  (?}  of  ecpia- 
tions.  The  equation  E'l  is  derived  from  the  equa¬ 
tion  for  X(  in  ip'  by  replacing  the  variable'  X(  on 
the  left-hand  side  with  the  variable  x^,  by  replac¬ 
ing  Cj  with  T  if  il{q)  =  j  and  F  otherwise,  by  re- 
plae  ing  /  with  T  if  e/  G  F  and  F  otherwise,  and  by 
re'placing  prr.^{xj)  with  prci (V,,,gA(r/)  );  Die  right- 

hand  side  is  then  conjuncted  with  the  propositions 
in  (e/).  The  block  B-y^-i  contains  the  extra  equation 
x„„/,  =  V,,gQ„  1  which  defines  the  output  vari¬ 
able  x„yt.  Note  that  ip^  is  independent  of  the  game 
structure  G,  and  contains  no  propositions  other  than 
those  in  $. 

Theorem  4  For  every  LTL  formula  tl/  and  i  =  1,2, 
we  have  ((/')}]•  ?'  =  (iBrc  b,)|  .  Moreover,  the  fixpoint 
formula  ip^i,  is  lean  and  its  size  is  doubly  exponential 
in  the  size  of  5'. 

Since  ip^n  is  lean,  by  Theorem  1  it  follows  that 
((?;))  p  v]/  =  |(p3vj,(jBre  p )].  The  doubly  exponential  size 
of  ip^  is  optimal,  because  boolean  games  with  LTL 
objectives  arc  2EXPTIME-hard  [11]. 
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Abstract 


Deciding  infinite  two-player  games  on  finite  graphs 
with  the  winning  condition  specified  by  a  linear  tem¬ 
poral  logic  (Ltl)  formula,  is  known  to  be  2Exptime- 
complete.  In  this  paper,  we  identify  Ltl  fragments 
of  lower  complexity.  Solving  Ltl  games  typically  in¬ 
volves  a  doubly-exponential  translation  from  Ltl  for¬ 
mulas  to  deterministic  cj-automata.  First,  we  show 
that  the  longest  distance  (length  of  the  longest  simple 
path)  of  the  generator  is  also  an  important  parame¬ 
ter,  by  giving  an  0{d\og  n)-space  procedure  to  solve 
a  Biichi  game  on  a  graph  with  n  vertices  and  longest 
distance  d.  Then,  for  the  Ltl  fragment  w'ith  only 
eventualities  and  conjunctions,  we  provide  a  transla¬ 
tion  to  deterministic  generators  of  exponential  size  and 
linear  longest  distance,  sho\v  both  of  these  bounds  to 
be  optimal,  and  prove  the  corresponding  games  to  be 
PsPACE-complete.  Introducing  next  modalities  in  this 
fragment,  we  provide  a  translation  to  deterministic 
generators  still  of  exponential  size  but  also  with  ex¬ 
ponential  longest  distance,  show  both  of  these  bounds 
to  be  optimal,  and  prove  the  corresponding  games  to 
be  ExPTiME-complete.  For  the  fragment  resulting  by 
further  adding  disjunctions,  we  provide  a  translation 
to  deterministic  generators  of  doubly-exponential  size 
and  exponential  longest  distance,  show  both  of  these 
bounds  to  be  optimal,  and  prove  the  corresponding 
games  to  be  Expspace.  Finally,  w-e  show  tightness  of 
the  double-exponential  bound  on  the  size  as  well  as 
the  longest  distance  for  deterministic  generators  for 
Ltl  even  in  the  absence  of  next  and  until  modalities. 
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1  Introduction 

Linear  temporal  logic  (Ltl)  is  a  popular  choice 
for  specifying  correctness  requirements  of  reactive  sys¬ 
tems  [14,  13].  An  Ltl  formula  is  built  from  state 
predicates,  boolean  connectives,  and  temporal  modal¬ 
ities  such  as  next,  eventually,  always,  and  until,  and  is 
interpreted  over  infinite  sequences  of  states  modeling 
computations  of  reactive  programs.  The  most  studied 
decision  problem  concerning  Ltl  is  model  checking-. 
given  a  finite-state  abstraction  G  of  a  reactive  system 
and  an  Ltl  formula  tp,  do  all  infinite  computations  of 
G  satisfy  pi  The  first  step  of  the  standard  solution  to 
model  checking  involves  translating  a  given  Ltl  for¬ 
mula  to  a  (non-deterministic)  Buchi  automaton  that 
accepts  all  of  its  satisfying  models  [12,  21].  Such  a 
translation  is  central  to  solving  the  satisfiability  prob¬ 
lem  for  Ltl  also.  The  translation  can  be  exponential 
in  the  worst  case,  and  in  fact,  both  model  checking 
and  satisfiability  are  PsPACE-complete  [18]. 

The  standard  interpretation  of  Ltl  over  infinite 
computations  is  the  natural  one  for  closed  systems, 
where  a  closed  system  is  a  system  whose  behavior 
is  completely  determined  by  the  state  of  the  system. 
How-ever,  the  compositional  modeling  and  design  of  re¬ 
active  systems  requires  each  component  to  be  view^ed 
as  an  open  system,  where  an  open  system  is  a  system 
that  interacts  wdth  its  environment  and  whose  behav¬ 
ior  depends  on  the  state  of  the  system  as  well  as  the 
behavior  of  the  environment.  In  the  setting  of  open 
systems,  the  key  decision  problem  is  to  compute  the 
winning  strategies  in  infinite  two-player  games.  In  the 
satisfiability  game,  we  are  given  an  Ltl  formula  p 
and  a  partitioning  of  atomic  propositions  into  inputs 
and  outputs,  and  we  wish  to  determine  if  there  is  a 
strategy  to  produce  outputs  so  that  no  matter  which 
inputs  are  supplied,  the  resulting  computation  satis¬ 
fies  p.  This  problem  has  been  formulated  in  different 
contexts  such  as  synthesis  of  reactive  modules  [15],  re¬ 
alizability  of  liveness  specifications  [4],  and  receptive¬ 
ness  [5].  In  the  model-checking  game,  we  are  given  an 
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Ltl  specification  </?,  and  a  game  graph  G  whose  states 
are  partitioned  into  system  states  and  environment 
states.  We  wish  to  determine  if  the  protagonist  has 
a  strategy  to  ensure  that  the  resulting  computation 
satisfies  i/j  in  the  infinite  game  in  which  the  protago¬ 
nist  chooses  the  successor  in  all  system  states  and  the 
adversary  chooses  the  successor  state  in  all  environ¬ 
ment  states.  This  problem  appears  in  contexts  such 
as  mod^de  checMng  and  its  variants  [9,  10],  and  the 
definition  of  alternating  temporal  logic  [2].  Such  game- 
based  model  checking  for  restricted  formulas  such  as 
“always  p”  has  already  been  implemented  in  the  soft¬ 
ware  Mocuia  [3],  and  shown  to  be  useful  in  construc¬ 
tion  of  the  most-general  environments  for  automating 
assume-guarantee  reasoning  [1]. 

We  focus  on  the  game  version  of  model  checking: 
given  a  game  graph  G  and  an  Ltl  formula  (p,  what 
is  the  complexity  of  deciding  whether  a  given  player 
has  a  winning  strategy  starting  from  a  given  initial 
state  (game  version  of  satisfaction  is  a  special  case, 
and  similar  bounds  apply).  It  is  known  that  the  com¬ 
plexity  of  this  problem  is  doubly-exponential  in  tlu' 
size  of  the  Ltl  formula,  and  the  problem  is  2Exptimf,- 
complete  [15].  Note  that  the  complexity  is  nmch  lower 
for  fornudas  of  specific  form:  generalized  Biichi  games 
(formulas  of  the  form  A,nO/;,)  are  solvable  in  poly¬ 
nomial  time,  and  Streett  games  (formulas  of  the  form 
A, ■(□<>;;,  are  coNP-complete  (the  dual.  Ra¬ 

bin  games  are  NP-complete)  [16,  7].  It  is  worth  iik'ii- 
tioning  that,  in  the  standard  modc'l  clu'dring.  while 
full  Ltl  is  PsPACK-comjrleto.  the  fragment  which  al¬ 
lows  only  e.vcjitually  and  always  oiierators  (but  no 
next  or  until)  has  a  small  model  property  ami  is  NP- 
comjjlete  [18]  (see  also  [G]  for  complexity  results  on 
simjrler  fragments  of  Ltl).  This  motivated  us  to  con¬ 
sider  the  problem  addressed  in  this  paper:  are  there 
fragments  of  Ltl  for  which  games  have  comi)le,xity 
lower  than  2E.\PTL\IF.? 

The  standard  a])proach  to  solving  games  for  Lri,  is 
by  reduction  to  a  game  on  the  product  of  the  game 
graph  and  a  deterministic  automaton  that  acce])ts  all 
the  models  of  the  given  formula.  The  winning  con¬ 
dition  in  this  reduced  game  corresponds  to  the  type 
of  the  acceptance  condition  (e.g.  Biichi  or  Rabin)  for 
the  deterministic  generator  '.  To  obtain  a  determinis¬ 
tic  generator,  the  standard  apj)roach  is  to  first  build  a 


’ll!  Uic  aiilomata-theorctic  formulation  of  tho  problem  [20], 
the  game  graph  can  be  viewed  as  a  tree  automaton  that  gener¬ 
ates  all  the  strategies  of  one  of  the  players.  From  the  formula  ip, 
we  can  construct  a  tree  automaton  that  accepts  precisely  those 
trees  all  of  whose  paths  satisfy  p,  take  product  with  the  game 
tree  automaton,  and  test  for  emptiness.  This  approach  has  the 
same  computational  essence,  and  requires  determinization. 


nondeterministic  generator  and  then  determinizc  it. 
Each  of  these  steps  costs  an  exponential,  and  it  is 
known  that  there  are  Ltl  formulas  whose  determinis¬ 
tic  generators  have  to  be  doubly-exponential  [11], 

In  this  paper,  we  give  a  comprehensive  study 
of  deterministic  generators  and  game  complexities 
of  v'arious  Ltl  fragments.  We  tise  the  notation 
Ltl(opi  , . . . ,  opi;)  to  denote  the  fragment  of  Ltl  given 
by  top-level  boolean  combination  of  formulas  which 
use  only  the  boolean  connectives  and  the  temporal 
operators  in  the  list  opi , . . . ,  op^..  Our  first  result  is 
a  construction  of  a  singly-exponential  deterministic 
Biichi  automaton  for  the  fragment  Ltl(0,A).  This 
construction  is  different  from  the  standard  tableau- 
based  construction,  and  builds  the  automaton  for  a 
formula  in  a  modular  way  from  the  automata  for  its 
subformulas.  This  immediately  gives  a  single  exponen¬ 
tial  bound  for  Ltl(<C>,  A)  games  by  using  the  standard 
algorithm  for  Biichi  games.  However,  the  determinis¬ 
tic  generators  have  the  ])ro])erty  that  the  longest  sim- 
pl('  jrath  is  at  most  liiu'ar  in  the  size*  of  the  formula. 
We  show  that  this  ])rop('rty  cati  be  exploited  to  rc'duce 
space  refiuirement.  In  fact,  we  show  a  gcmeral  result: 
in  a  game  graj)!)  with  n  vc'rticc's  and  longest  distance,  d 
(that  is.  k'ugth  of  longc'st  simi)le  path),  a  Biichi  game' 
can  he  solved  in  s])nce  ('2(c/log  n)  (the  conventional 
algorithm  uses  0{n)  sjjacc').  This  leads  us  to  the  rc'- 
sidt  that  L'rL(0,A)  game's  can  be  solved  in  Psi’ACI’., 
and  w{'  show  a  matching  lowc'r  bound.  Note'  that  the' 
fragment  LrL(0,  A)  contains  boolean  ccunbinations  of 
invariant  (“always  j>")  and  termination  (“c'vc'ntually 
'/")  proirertic'S,  and  thus  includc's  many  of  the  com¬ 
monly  usc'd  s])ecifications. 

Combining  next  modalitic's  with  the'  eventuali- 
tic's  raises  the  complexity.  For  any  formula  in 
L'rL(0.0,  a),  we  show  how  to  construct  a  detc'rminis- 
tic  Biichi  generator  with  both  state's  and  longc'st  dis¬ 
tance  of  oxjKUiential  size.  The  construction  is  o])- 
timal  since  tlic're  exists  an  L'I'l(0,0,  A)  forimda  for 
whieli  all  dc'terministic  generators  must  have  expo¬ 
nential  longest  distane:e.  This  construction  h'aels  to  an 
E.xptimf  algorithm  for  solving  games  in  Ltl(0,0,  A), 
and  we  show  a  imUching  lower  bound. 

•Adding  disjunctions  to  Ltl(<>,0,  A)  raises  com¬ 
plexity.  Given  an  Ltl(0,0,  A,V)  formula,  we  show 
how  to  construct  a  corresponding  deterministic  Biie:hi 
automaton  with  doubly-exponential  state's  and  singly- 
exi)onential  longest  distance.  The  construction  is  op¬ 
timal  since  we  she)w  that  there  is  an  Ltl(0,A,V)  for¬ 
mula  whose  deterministic  generate)!'  must  be  eloubly- 
exponential  with  singly-exi)onential  longest  distance. 
Our  construction  leads  to  an  ExPSPACtF  algorithm  fe)r 
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solving  games  in  Ltl(0,0,  A,  V).  A  matching  lower 
bound  remains  an  open  problem. 

The  nesting  of  eventually  and  always  modalities 
causes  a  further  increase  in  the  complexity.  We 
prove  that  there  exists  a  formula  in  LTL(n,0,A,V) 
whose  deterministic  generator  must  be  doubly- 
exponential  with  doubly-exponential  longest  distance, 
that  matches  the  upper  bound  for  the  full  Ltl.  This  is 
in  sharp  contrast  to  the  fact  that  the  longest  distance 
of  nondeterministic  generators  for  LTL(n,  O,  A,  V)  for¬ 
mulas  is  only  linear,  and  becomes  exponential  only  by 
addition  of  next  or  until  modalities. 


2  Definitions 

2.1  Linear  Temporal  Logic 

We  first  recall  the  syntax  and  the  semantics  of  linear 
temporal  logic.  We  will  define  temporal  logics  by  as¬ 
suming  that  the  atomic  formulas  are  state  predicates, 
that  is,  boolean  combinations  of  atomic  propositions. 
Given  a  set  of  atomic  propositions,  a  linear  temporal 
logic  (Ltl)  formula  is  composed  of  state  predicates, 
the  boolean  connectives  conjunction  (A)  and  disjunc¬ 
tion  (V),  the  temporal  operators  Next  (O),  Eventually 
(O),  Always  (□),  and  Until  (  U).  Formulas  are  built 
up  in  the  usual  way  from  these  operators  and  connec¬ 
tives,  according  to  the  following  grammar 

if  ■.=  p\ip  ip\Oip  \  0(p|  i2ip\ipU  gi. 

An  Lo-word  over  a  given  alphabet  E  is  a  mapping 
from  N  into  E,  that  is,  an  infinite  sequence  of  sym¬ 
bols  over  E.  Ltl  formulas  are  interpreted  on  an  w- 
word  w  —  W0W1W2  ■ .  ■  over  the  alphabet  E  =  2^  and 
the  satisfaction  relation  «;  |=  is  defined  in  the  stan¬ 
dard  way.  In  the  following,  we  will  use  the  notation 
Ltl(opi  , . . . ,  opk)  to  denote  the  fragment  of  Ltl  which 
contains  boolean  combination  of  basic  formulas  which 
use  only  the  boolean  connectives  and  the  temporal  op¬ 
erators  in  the  list  opi , . . . ,  opk  ■ 

2.2  Finite  automata  on  m-words 

Automata  on  w-words  have  been  extensively  stud¬ 
ied  in  relation  to  temporal  logic  [8].  In  this  section, 
we  will  recall  the  definition  of  Biichi  automata  and  the 
results  relating  them  to  Ltl  as  generators  of  models. 

A  nondeterministic  transition  graph  is  a  4-tuple 
(E,  S,  So,  A),  where  E  is  an  alphabet,  S  is  a  finite  set 
of  states,  5o  C  5  is  the  set  of  initial  states,  and  A  is  a 


subset  of  5  X  E  X  5.  A  transition  graph  is  determin¬ 
istic  if  |5o|  =  1  and  A  defines  a  total  function  <5  from 
5  X  E  into  5.  In  the  following,  when  we  consider  deter¬ 
ministic  transition  graphs,  we  will  define  directly  this 
function  <5  instead  of  the  transition  relation  A.  The 
behavior  of  a  transition  graph  on  a  word  is  captured 
by  the  concept  of  a  run.  Let  A  =  (E,5, 5o,A)  be  a 
transition  graph  and  w  be  an  tu-word,  a  run  of  A  on 
w  is  a  mapping  r  :  N  — >  S  such  that  r(0)  6  So  and 
for  all  i  G  N,  {r{i),w{i),r{i  -f  1))  e  A.  Given  a  run  r 
on  a  word  w,  we  denote  with  Inf{r)  the  set  of  states 
appearing  infinitely  often  in  r.  A  clear  property  of  de¬ 
terministic  transition  graphs  is  that  they  have  exactly 
one  run  for  each  word. 

Given  a  transition  graph  we  define  an  automaton 
by  specifying  the  acceptance  conditions.  A  nonde¬ 
terministic  (resp.  deterministic)  Biichi  automaton  is 
a  5-tuple  A  =  (E,  5, 5o,  A,  F),  where  (E,5,  So,A) 
is  a  nondeterministic  (resp.  deterministic)  transition 
graph  and  F  C  5  is  the  set  of  the  accepting  states.  An 
w-word  w  is  accepted  by  a  Biichi  automaton  A  iff  there 
exists  a  run  r  of  A  on  u;  such  that  Inf{r)r)F  ^  0.  The 
language  accepted  by  A,  denoted  by  L{A),  is  defined 
to  be  the  set  {u;  |  u;  is  accepted  by  A}. 

For  our  results,  besides  the  size,  another  character¬ 
izing  measure  of  an  automaton  A  is  the  length  of  the 
longest  simple  directed  path  connecting  two  states  in 
the  transition  graph.  We  will  refer  to  this  measure  as 
the  longest  distance  of  A. 

For  every  Ltl  formula  </?,  it  is  possible  to  con¬ 
struct  an  automaton  on  cu-words  accepting  all  mod¬ 
els  of  it.  We  will  denote  such  an  automaton  as  A,^ 
and  we  will  refer  to  it  as  a  generator  of  models  for  ip. 
A  deterministic  generator  for  an  Ltl  formula  of  size 
0(exp{exp{\ip\))  can  be  obtained  in  the  following  way: 
from  the  formula  p,  by  the  tableau  construction,  it  is 
possible  to  construct  a  nondeterministic  Biichi  gener¬ 
ator  of  size  0{exp{\ip\))  [12,  21];  this  automaton  can 
then  be  determinized  so  that  we  obtain  a  deterministic 
Rabin  automaton  of  size  0{exp{exp{\(p\))  [17].  Notice 
that  in  general,  for  a  given  formula  p,  a  determinis¬ 
tic  Biichi  generator  may  not  exist  but,  when  this  ex¬ 
ists,  it  has  been  proved  that  the  translation  from  Ltl 
formulas  to  deterministic  Biichi  automata  is  doubly- 
exponential  [11],  and  thus,  the  above  construction  is 
asymptotically  optimal. 

2.3  Game  graphs 

In  this  section  we  will  introduce  the  notation  con¬ 
cerning  two-player  games.  A  two-player  game  is  mod¬ 
eled  by  a  game  graph  and  a  winning  condition.  A 
game  graph  is  a  tuple  G  =  {V,Vo,Vi,'S,^)  where  V 
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is  a  finite  or  countable  set  of  vertices,  Vq  and  Vi  de¬ 
fine  a  partition  of  F,  S  is  a  finite  set  of  actions  and 
7  :  y  X  S  ^  y  is  a  partial  function.  For  i  =  0, 1,  the 
vertices  in  Vi  are  those  from  which  only  Playeri  can 
move  and  the  allowed  moves  are  given  by  the  function 
7.  A  winning  condition  is  a  predicate  over  w-words  of 
vertices,  and  depending  on  its  type,  we  can  have  dif¬ 
ferent  kinds  of  games.  In  this  paper  we  will  consider 
only  Buchi  and  Ltl  games.  In  a  Buchi  game,  the  win¬ 
ning  condition  is  given  by  a  set  of  vertices  F  C  V 
with  the  requirement  that  at  least  a  state  in  F  must 
repeat  infinitely  often.  In  an  Ltl  game,  the  winning 
condition  is  instead  an  Ltl  formula. 


A  play  of  a  game  G  is  constructed  as  a  sequence 
of  vertices  corresponding  to  the  actions  taken  by  the 
two  players.  Formally,  a  play  starting  at  xq  is  a  se¬ 
quence  .ro.ri  ...  I/,  in  V*  with  the  property  that  there 
exists  a  sequence  of  actions  G  E  such  that 

7(;rj_i,aj)  =  xj,  for  j  =  l,...,/i.  Starting  from  a 
vertex  ?/,,  a  game  G  can  be  seen  as  the  w-tree  T(Ci,u): 
calk'd  a  ynmr.  tree,  which  is  obtained  by  unwinding 
G  from  XL.  Each  node  of  this  tree  corresponds  to  a 
play  starting  at  xl:  the  root  corresponds  to  xi  and,  if  a 
node  XL  corresponds  to  a  play  xi  . . .  x/, ,  then  each  of  its 
children  corrc'sponds  to  a  i)ossible  continuation  of  the 
play  xo  ■  ■  i.e.  to  a  play  .To  . .  .x/,x/,  +  i  such  that 
■y{xii,n)  =  Xh  +  i  for  an  action  a  G  E.  A  strategy  for 
Playcvi  gives  an  allowed  move  to  continue  each  play 
ending  at  a  vertex  in  1],  More  formally,  a  stratc'gy  for 
Player i  is  a  total  function  f  :  \  ->  1'  mapping  a 

nock'  in  the  function  domain  into  one  of  its  successors 
in  tlu'  game  trc'e.  A  strategy  then  corresjronds  to  a  tree 
obtained  from  the  game  tree  hy  pruning  all  the 

subtrees  containing  plays  that  are  not  constructed  ac¬ 
cording  to  /.  When  a  strategy  depends  only  on  the 
last  vertex  of  a  play,  it  is  called  a  memoriless  strategy. 


Given  a  game  G  and  a  winning  condition  IF,  a 
strategy  /  is  said  to  be  a  vmniing  stx'atrgy  if  the  re- 
quiremc'nt  expressed  by  IF  holds  on  all  the  paths  of  the 
trc!0  corresponding  to  /.  In  a  two-player  game,  given 
a  game  G  and  a  winning  condition  IF,  we  consider 
the  decision  problem:  “Is  there  a  strategy  for  Playeri 
satisfying  the  winning  condition  IF?”  We  remark  that 
while  Biichi  games  admit  memoriless  winning  strate¬ 
gies  and  can  be  solved  in  quadratic  time,  Ltl  games 
in  general  do  not  have  a  memoryless  winning  strat¬ 
egy  and  are  decidable  in  time  polynomial  in  |G|  and 
doubly-exj)onential  in  \xp\  [15]. 


3  Deterministic  generators 

We  begin  this  section  by  introducing  a  proper  sub¬ 
class  of  deterministic  Buchi  automata  whose  transition 
function  defines  a  partial  order  over  the  states.  To 
emphasize  this  property,  we  call  an  automaton  in  this 
class  a  partially- ordered  deterministic  Biichi  automa¬ 
ton  (PODB).  Then,  we  will  show  that,  for  formulas 
in  some  fragments  of  Ltl,  it  is  possible  to  construct  a 
deterministic  generator  which  is  a  PODB. 

A  PODB  is  a  deterministic  Biichi  automaton  whose 
transition  graph  is  a  directed  acyclic  graph  except 
for  the  self-loops.  Obviously,  the  longest  distance  of 
a  PODB  is  the  longest  distance  between  the  initial 
state  and  a  sink  state,  where  an  initial  and  a  sink 
state  are  respectively  a  minimal  and  a  maximal  state 
with  respect  to  the  partial  order  induced  by  the  tran¬ 
sition  function  of  the  PODB.  PODBs  are  closed  under 
boolean  operations. 

Proposition  3.1  For  i  =  1,2,  let  Ai  be  PODBs  of 
size  Hi  and  longest  distance  d;.  There  exists  a  PODB 
AinA2  (re.sp.  .4iU-42j  accepting  the  langxiage  L{A\)r\ 
LiA-z)  (respectively,  L{A\)[JL{A2)),  and  such  that  its 
size  is  0{ni  n-z)  a,nd  its  longe.st  distance  is  not  greater 
than  d\  -I  fL-  Moreover,  for  i  =  1,2,  there  exists  a 
PODB  .4,  of  size  JXi  and  longe.st  distance  di  accepting 
S“'\I(.4,.). 

Note  that  to  prove  the  above  proposition,  the  con¬ 
struction  for  intersection  does  not  require  the  intro¬ 
duction  of  a  counter  as  in  the  case  of  general  deter¬ 
ministic  Biichi  automata.  Moreover,  the  above  results 
on  intersection  and  union  are  naturally  extended  to 
a  tuple  of  automata  Ai,...,.4a.  and  we  will  denote 
the  corresponding  automata  with  .4]  n  . . .  fl  .4*.  and 
Ai  U  . . .  U  .4/,.,  respectively. 

The  following  automaton  construction  will  be  used 
in  th<'  next  sections  to  build  the  generator  for  0{pAip) 
given  the  generator  for  p.  Let  .4  =  (E,  S,  So,S,  F)  be  a 
Biichi  automaton  and  p  be  a  predicate  over  E.  Given  a 
s'q  ^  S,  we  define  the  (deterministic)  Biichi  automaton 
as  (E,5U  {,s[,},s;),(I',F)  where: 

•  d'{,s,a)  =  8{.s,n)  for  s  G  5, 

•  d'(.SQ,a)  =  (5(,so,n)  for  a  satisfying  p,  and 

•  S'{sQ,a)  =  .Sg,  otherwise. 

The  construction  is  illustrated  in  Figure  1. 

Proposition  3.2  Let  .A  =  {T.,  S,  Sq,S,  F)  be  a  (deter¬ 
ministic)  Biichi  axitomaton  of  size  n  and  longe.st  dis¬ 
tance  d  sxi.eh  that  E  L{A)  C  L{A),  and  p  be  a  predicate 
over  E.  The  (deterministic)  axitomaton  has 

size  0(71),  longe.st  distance  d  +  1  and  accepts  the  lan¬ 
guage  E*  [;>]  L{A),  where  [p]  =  {n  G  E  |  a  satisfies  p}. 
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Figure  1:  Graphical  representation  of  the  automaton 

Moreover,  if  A  is  a  PODB  then  A^^P'^'>  is  a  PODB 
also. 

3.1  Generators  for  Ltl(0,  A) 

The  fragment  Ltl(0,a)  contains  boolean  combi¬ 
nations  of  formulas  built  from  state  predicates  using 
eventualities  and  conjunctions.  Thus,  negations  and 
disjunctions  are  allowed  only  at  the  top-level  and  at 
the  atomic  level.  By  definition,  Ltl(0,a)  is  equiva¬ 
lent  to  LTL(n,V).  A  sample  formula  of  this  fragment 
is  Dp  V  0{q  A  Or).  This  fragment  includes  combina¬ 
tions  of  typical  invariants  and  termination  properties. 

Let  us  consider  the  formula  (p  =  Opi  A  . . .  A  Op„, 
where  p,  e  P  for  z  =  l,...,n.  Obviously,  p  is  in 
Ltl(0,A).  This  formula  asserts  that  each  one  of 
Pi, . . .  ,p„  has  to  be  true  sometimes.  Then,  a  deter¬ 
ministic  generator  .4^  for  has  to  keep  track  only  of 
the  set  of  atomic  propositions  which  have  been  already 
fulfilled.  The  size  of  .4^.  is  0(2”)  and  its  longest  dis¬ 
tance  is  the  cardinality  of  the  maximal  totally  ordered 
set  of  states  with  respect  to  the  subset  relation,  that  is, 
n.  We  proceed  to  show  that  all  the  Ltl(0,A)  formu¬ 
las  have  a  deterministic  generator  which  is  a  PODB  of 
exponential  size  and  linear  longest  distance,  but  first, 
we  introduce  a  characterization  of  the  formulas  in  the 
considered  fragment.  A  formula  <p  in  Ltl(0,A)  is  a 
boolean  combination  of  formulas  defined  inductively 
by  the  following  rules: 

•  p  is  a  state  predicate  over  P  or, 

•  for  k  >  0,  p  is  p  A  O  Pi  A  . . .  A  O  pj.  where  p  is 

a  state  predicate  over  P  and  pi , . . . ,  p*  are  for¬ 
mulas  in  Ltl(<>,  a)  that  do  not  contain  negations 
and  disjunctions  at  the  top-level. 

Theorem  3.3  There  exists  a  deterministic  Biichi  au¬ 
tomaton  A  accepting  all  the  models  of  a  formula  p  in 
Ltl(0,  a)  such  that  A  is  a  PODB  of  0{exp{\ip\))  size 
and  0(|p|)  longest  distance. 


Proof.  We  inductively  define  a  deterministic  Biichi 
automaton  A  accepting  all  the  models  of  a  given  for¬ 
mula  Op  in  Ltl(0,A)  such  that  A  is  a  PODB  of 
exponential  size  and  linear  longest  distance  in  |p|, 
and  then  by  Proposition  3.1  this  result  is  extended 
to  a  general  formula  in  Ltl(0,A).  For  a  state 
predicate  p,  we  define  Ap  and  Aop  as  the  minimal 
deterministic  generator  for  p  and  Op,  respectively. 
Clearly,  Ap  and  Aop  are  PODBs  and  Aop  is  such 
that  'Z*L{Ac>p)  C  L{Aop).  Now,  let  'ip  be  the  for¬ 
mula  0(p  A  0^1  A  ...  A  Oi/ijt)  and,  for  a  formula 
7  €  {tpi,  ■  ■  ■  ,^k},  Aoy  be  a  PODB  accepting  all  the 
models  of  O7.  By  inductive  hypothesis  we  have  that 
size  of  A07  is  0(ea:p(|  O7I))  and  longest  distance  of 
Ao-y  is  0(|07|).  Obviously,  T,*  L(Ao-y)  C  L{Ao-y) 
also  holds.  Then,  by  Proposition  3.1,  A'  =  Ao^,  0 
. .  .OAo^i.  is  a  PODB  of  0(exp(|  0^j|-|-. .  .-f-|  0^/t|)) 
size,  O ( I  O  1  ,  .-f  I  O  I )  longest  distance,  and  such 
that  S*L(A')  C  L{A').  Thus,  from  Proposition  3.2, 
we  have  that  .4^  =  A'^^P’^  ^  is  the  generator  for  ip.  I 

The  previous  result  is  optimal  in  the  sense  that  we 
may  not  have  a  smaller  generator  for  some  formula  in 
Ltl(0,A),  as  shown  in  the  following  theorem. 

Theorem  3.4  There  exists  a  formula  p  in  Ltl(0,  a) 
such  that  all  generators  ofp  have  n(exp(|p|))  size  and 
D(|p|)  longest  distance. 

Proof.  Consider  the  formula  p  =  Opi  A  . . .  A  Op,„, 
w'here  pi  €  P  for  z  =  l,...,n  and  n  >  2.  Clearly, 
IpI  =  0{n).  The  first  assertion  can  be  easily  proved  by 
contradiction  showfing  that  the  initial  state  of  a  p  gen¬ 
erator  must  have  at  least  2”- 1  successors.  The  second 
assertion  can  be  proved  by  contradiction  by  showing 
that  if  a  generator  Ap  for  p  has  longest  distance  less 
than  n,  from  the  p  model  w  =  {pi}{p2}  ■  •  •  {Pn}“,  we 
can  derive  another  word  which  is  not  a  model  of  p  but 
is  accepted  by  Ap.  | 

3.2  Generators  for  Ltl(0,0,  A) 

In  this  section  we  use  the  notation  O"  as  a  short¬ 
hand  for  n  nested  next  modalities.  We  therefore  con¬ 
sider  size  of  O"  p  to  be  |p|  -I-  n.  Let  us  consider  the 
formula  p  =  0(pAO”  q),  where  p,qe  P.  This  formula 
asserts  that  p  has  to  be  fulfilled  at  a  position  z  and  q  at 
a  position  i-j-n  for  some  z  €  N.  A  deterministic  gener¬ 
ator  for  p  has  to  keep  track  of  the  truth  values  of  p  in 
the  previous  n  positions.  This  can  be  done  by  running 
n  copies  of  the  deterministic  generators  for  (p  A  O”  q) . 
Such  a  generator  requires  exponentially  many  states 
and  has  exponential  longest  distance.  We  prove  that 
this  upper  bound  holds  for  all  Ltl(0,0,  A)  formulas: 
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Theorem  3.5  There  exists  a  deterministic  Biichi  au¬ 
tomaton  A  accepting  all  the  models  of  a  formula  ip  in 
Ltl(0,0,  A)  such  that  A  has  both  size  and  longest  dis¬ 
tance  at  most  exponential  in  |(/5|. 

Proof.  The  construction  is  done  inductively  on  the 
structure  of  formulas  in  Ltl(0,0,  A).  We  observe 
that  given  a  formula  Vb  the  next  operators  in  ij’  can 
be  pushed  inside  so  that  we  can  obtain  an  equivalent 
formula  having  only  state  predicates  in  the  scoi)e 
of  a  finite  sequence  of  next  operators,  and  such  that 
V''  =  0{\tj>\'^).  As  a  consequence  most  of  the  cases 
arc  handled  as  for  the  construction  of  a  determinis¬ 
tic  generator  for  Ltl(0,  A)  formulas.  The  interest¬ 
ing  case  is  to  construct  a  deterministic  generator  for 
T  —  A  O*  (/ A  </)')  given  a  deterministic  genera¬ 
tor  At^i  for  ip'  of  both  size  and  longest  distance  ex¬ 
ponential  in  |(p|,  and  such  that  E*L{A^')  C  L{A^'). 
A  deterministic  generator  A.^  for  p)  can  be  olrtained 
by  running  in  parallel  k  copies  of  .4^-'  and  checking 
for  the  fulfillment  of  (pAO*'r/).  .4t  every  position 

i  of  the  input  word  a  copy  of  .4.^-'  is  started  and  if 
i  >  k  and  (p  AO^  q)  is  not  true  at  position  (i  —  k) 
then  the  cojjy  started  at  position  (?'  —  k)  is  dismisst'd. 
As  soon  as  (p  A  O*'  q)  becomes  true,  .4^-  dismisst's  all 
co])i(!S  of  .4,^-'  but  the  one  started  at  the  position  whert' 
(pAO^'q)  is  true,  and  continues  as  .4^-< .  The  size  of 
.4,^  is  thus  0(e:rp(A:  |P|)|.4^.' I)  and  hence  exjtonential 
in  |(p|.  Its  longest  distance  is  0(e.rp(A')  -f-t/').  wh(>re  d' 
is  the  longest  distance  of  .4^.',  and  thus  is  exitonential 
in  \p}\.  ■ 

The  previous  result  is  oi)timal  in  the  sense  that  we 
may  not  have  a  smaller  generator  for  some  formula  in 
Ltl(0,0,  A),  as  shown  in  the  following  theorem. 

Theorem  3.6  There  exists  a  formula  vi 

Ltl(0,0,  A)  such  that  all  generators  of  ip  have 
n(f;.T7)(|ip|))  size  and  r!(c.7:7;(|ip|))  longest  distance. 

Proof.  Consider  the  fornnda  ip  =  □(p  — >  O"  q). 
where  p,q  ^  P  and  n  >  2.  Clearly,  |(p|  =  0{ii).  Since 
Ltl(0,  a)  is  a  fragment  of  Ltl{0,0,  A),  we  only  need 
to  prove  that  all  generators  for  p  have  a  simple  path  of 
length  at  least  2".  Assume  that  .4^  =  {2'\  5,  .so,  A.  F) 
is  a  generator  for  p.  Consider  words  ir  =  O]  ...a„ 
and  ?(/  =  a\  . . .  n',  such  that  ju,w'  €  (2^)*,  and  p  ^ 
n,:  and  p  £  n'  for  some  i.  Let  y  £  (2^)""'  be  such 
that  y  =  b[  . .  .bi,  . . q  ^  bj,  and  xwy  is  a  model  of 
p  for  some  x  £  (2^)*.  We  have  that  xm'y  is  not  a 
model  of  p.  Thus  a  generator  .4,^,  cannot  enter  the 
same  state  after  reading  xiu  and  xw' ,  since  it  must 
accept  xwy  and  reject  xw'y.  Clearly  we  can  prove 
this  for  any  pair  of  words  ?/;,?//  of  length  n  that  differs 
with  respect  to  the  tiaith  of  p  at  least  in  a  position. 


Since  we  can  determine  2"  words  Wi , . . .  ,xi)2"  which 
are  pairwise  different  with  respect  to  truth  values  of 
p,  there  are  2"  pairwise  di.sjoint  sets  of  states  each  of 
them  contains  the  states  which  are  reached  on  all  runs 
of  .4^.  by  reading  a  prefix  of  a  model  for  p  ending  in  (/);. 
To  conclude  this  proof  we  just  need  to  prove  that  there 
exists  a  word  that  forces  A.p  to  visit  a  state  from  each 
of  these  sets  without  reentering  any  of  them  before 
reading  at  least  one  state  from  each  set.  But  this  is 
equivalent  to  prove  that  there  is  an  exponentially  long 
word  w  in  {0, 1}*  such  that  any  two  subwords  of  w  of 
length  n  differ  at  least  in  a  position,  and  thus  we  are 
done.  I 

3.3  Generators  for  Ltl(0,A,V)  and 
Ltl(0,0.  A,  V) 

Th(‘  fragment  Lti.(0,0,  A,  V)  contains  boolean 
combinations  of  formulas  built  from  state  ])r('dicates 
using  eventualities,  next,  disjunctions,  and  conjunc¬ 
tions.  This  fragment  includes  combinations  of  safi'ty 
and  guarantee  pro])('rties.  and  belongs  to  tlu'  class  of 
syntactic  obligation  proi)erties  [13]. 

L('t  us  consider  the  formula  p  =  A/'=i(/b  V  Or/;), 
where  p,.q,  £  P.  for  i  =  1,...,;)  and  n  >  2.  Ob¬ 
viously  p  is  an  L'ri,(0,A,V)  formula.  This  formula 
assents  that  at  a  same'  ])()sitiou  in  the  model  all  the 
clauses  (/»,  V  Oq,)  have  to  be  satisfied.  Since  the  ful¬ 
fillment  of  a  clause'  at  a  ]X)sitie)u  implie's  e'itlu'r at 
that  pe)sitie)n  or  q,  at  a  later  pe)sitie)U.  a  neenele'te'nuiuis- 
tic  ge'ue'iate)!'  feer  p  is  the'  e)ue  that  iieenele'teiuiiuistie  edly 
giK'sses  the'  first  iiositiou  at  whieb  all  the'  e'lause's  are' 
satisfie'd  and.  then,  ehe'ek  for  tlu'ir  fulfillmemt.  Sueli  a 
ge'iu'rate)!-  has  an  exijeme'iitial  size'  auel  a  linear  le)uge'st 
distane'e'.  W('  can  dete'rmiiiize'  this  strate'gy  to  e)bt;iin 
a  ele'termiuistic  generator  for  p  with  (){2-  )  state's  and 
0(2")  lejugest  distance'.  It  is  jeossible'  te)  preeve  that 
this  reseilt  iude'ed  holels  feer  all  Lti.(0,0,  A,  V)  formu¬ 
las.  as  stateel  by  the  follenving  tlu'ejre'iu. 

Theorem  3.7  There  exists  a  deterjuinistie  Duehi  a.u- 
tomaton  .4  accepting  all  the  models  of  a  formula 
p  in  L'ri.(0,0,  A,  V)  such  tlmt  .4  has  size  doubly- 
exponential  in  |^|  and.  longest  distance  exponential  in 

M- 

Proof.  To  construct  a  determiuistie:  generator  fe)r 
Lti.(0,0.  A,  V)  formulas  we  first  transfeerrn  them  intee 
a  "layered"  coujimctive  neermal  feerm  where'  we  have 
either  Lti,(0,0,  A)  formulas  or  formulas  of  type'  e/)  = 
^  Vi(Pi  AO^  q,  A  Vi).  This  trauslatieen  may  cause  an 
exi)onential  blow-uj)  in  the'  size  of  the  feermula.  The 
results  obtained  fe)r  Lti.(C>,0,  A)  then  give  the  u])- 
per  bound  on  the  size  of  the  deterministic  genera- 
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tor  for  Ltl(0,0,  A,V)  formulas.  An  accurate  anal¬ 
ysis  of  the  longest  distance  in  the  construction  given 
for  Ltl(0,0, A)  gives  an  0{exp{k\P\)  +  |»/>|)  upper 
bound,  where  k  is  the  largest  number  of  nested  next 
modalities  in  the  starting  formula.  Since  the  trans¬ 
formation  into  the  layered  CNF  does  not  increase  this 
parameter,  given  an  Ltl(0,0,  A,V)  formula  we  get 
that  the  longest  distance  of  the  deterministic  genera¬ 
tor  obtained  by  the  given  construction  is  exponential 
in  |(p|.  I 

The  following  theorem  shows  that  the  above  result 
is  optimal  also  in  the  case  of  Ltl(0,A,V)  formulas. 

Theorem  3.8  There  exists  a  formula  tp  in 
Ltl(0,  a,  V)  such  that  all  the  deterministic  genera¬ 
tors  of  ip  have  Cl{exp{exp{\(p\)))  size  and  n(exp(|9j|)) 
longest  distance. 

Proof.  Consider  the  formula  tp  =  O  A"=i(Pt  ^  ^Qi)^ 
where  Pi,qi  €  P  for  i  =  1, . . . ,  n  and  n  >  2.  Obviously, 
\ip\  =  0{n).  Denote  with  Pp  the  set  {pi,  ■  ■  ■  ,Pn}  and 
Pq  the  set  ,  gn}-  We  prove  that  a  minimal  de¬ 
terministic  generator  for  tp  has  states.  With  a 

similar  argument  it  is  also  possible  to  show  that  all 
the  deterministic  generators  for  tp  have  a  simple  path 
of  length  Assume  that  Aq,  =  (2^,5,  so, <5,  P) 

is  a  deterministic  generator  for  tp.  Given  a  subset 
b  of  Pp,  define  q{b)  as  the  set  {qi\pi  ^  b}.  Define 
S*  as  the  set  of  Pp  subsets  of  cardinality  k,  that  is, 
Flfc  =  {a  C  Pp  I  |a|  =  k}.  The  cardinality  of  is 
^  ^  .  If  we  choose  k  =  [§],  then  |Sa.|  =  2^*"^  Ob¬ 

serve  that  for  w,w'  £  such  that  w  =  a^ai . .  .am, 
w'  =  a'oa[  ...a'^,  and  U™i{c7i}  ^  U^Jcr'},  it  must 
hold  that  (5(so,  ru)  ^  d{so,w').  In  fact,  we  can  suppose 
without  loss  of  generality  that  there  is  a  cr  G  U2:i{<7i} 
such  that  a  ^  U^i{cr-}.  Thus,  for  any  w"  G  , 

the  word  wq{a)w"  is  a  model  of  tp  and  w'q{a)<ll 
is  not.  Since  Ap  accepts  all  and  only  the  models 
of  p,  and  there  is  an  accepting  run  for  any  word 
wq{a)w" ,  if  (5(so,w)  =  5{so,u)')  then  Aq,  accepts  also 
w'q{a)% . . .  0 . . .,  and  this  contradicts  the  hypothesis 
Ap  being  a  generator  of  models  for  p.  Since  the  num¬ 
ber  of  subsets  of  S*  is  21^'=  I,  Aq,  must  have  at  least 
21^*^  I  states.  Thus,  for  /c  =  [§],  this  means  2^”'"* 
states.  I 

3.4  Generators  for  Ltl(Q,0,A,V) 

In  section  2.2  we  recalled  the  results  concerning  the 
construction  of  a  deterministic  generator  for  a  given 
formula  in  Ltl.  In  this  section  we  prove  that  a  match¬ 
ing  lower  bound  to  that  construction  even  in  absence 
of  next  and  until  modalities. 


Theorem  3.9  There  exists  a  formula  p  in 
LTL(n,  O,  A,  V)  such  that  all  the  deterministic 
generators  of  p  have  an  U{exp{exp{\p\))  longest 
distance. 

Proof.  Consider  the  formula 

n  n 

□(O  A(«iV0  6i)->0/\(ciV0d,)), 

i=l  i~l 

where  ai,bi,Ci,di  G  P  for  i  =  l,...,n  and  n  >  2. 
Assume  that  =  (2-^,  S,  SQ)  <^1 P)  is  a  deterministic 
generator  for  p.  Denote  by  Px  the  set  {ii, . . .  ,a;„}. 
Moreover,  denote  by  pj  a  subset  of  Pa  and  by  qj  a 
subset  of  Pc.  By  arguments  similar  to  those  used  in  the 
proof  of  Theorem  3.8,  it  is  possible  to  prove  that:  1)  a 
deterministic  generator  for  p  has  to  keep  track  of  the 
Pj ’s  that  have  been  fulfilled  and  for  each  pj  the  list  of 
qhS  which  have  been  fulfilled  starting  at  the  position 
where  pj  was  true  the  last  time;  2)  we  may  need  to 
store  exponentially  many  pj ’s  and  exponentially  many 
qj’s,  to  check  the  fulfillment  of  A"=i(®i  ^ 

OA”=i(g  V  Odi),  respectively.  Thus  for  k  =  12(2'’), 
let  Pi , . . . ,  pjt  and  qi,.  ..,qk  such  sets.  We  observe  that 
only  one  among  all  pj’s  (respectively,  qj’s)  can  be  true 
at  each  position.  Every  time  a  pj  is  true  at  a  position 
i,  A  resets  the  list  for  pj  with  only  the  qh  which  is  true 
at  position  i.  Every  time  a  qj  is  true,  A  adds  qj  to 
all  lists.  To  conclude  the  proof  it  is  sufficient  to  show 
that  there  exists  a  word  w  in  (Pp  U  P,  U  {pj  U  qh  \  pj  G 
Pp,qh  €  Qp})*  of  length  2*^  such  that  the  A  run  on  w 
is  such  that  r{i)  ^  r{j)  for  any  i  ^  j.  To  see  this,  we 
map  each  state  s  of  A  into  a  binary  fc-tuple  {xi, . . .  ,xi;) 
such  that  a:;  =  1  if  and  only  if  qi  is  in  the  list  for  pi. 
Clearly,  if  two  states  s  and  s'  are  mapped  into  two 
different  tuples  then  s  ^  s'.  Moreover,  by  the  above 
observations,  if  neither  qi  or  p;  is  true  at  the  current 
position  the  i-th  bit  of  the  tuple  associated  to  the  next 
A  state  is  the  f-th  bit  of  the  current  state,  while  if  qi 
true  then  the  i-th  bit  becomes  1,  otherwise  if  pi  is  true 
the  i-th  bit  becomes  0.  Since  at  most  a  p;  and  a  qj 
are  true  at  each  position,  the  tuples  of  two  consecutive 
states  in  a  run  may  differ  for  at  most  2  bits.  Since  it  is 
possible  to  list  all  the  2*  binary  tuples  in  such  a  way- 
two  consecutive  tuples  differs  in  exactly  1  or  2  bits, 
we  have  proved  that  any  deterministic  generator  for  p 
has  f2(2*)  =  D(2^")  longest  distance.  I 


4  Biichi  games 

In  this  section  we  present  a  new  decision  algorithm 
for  Biichi  games,  which  mainly  performs  a  depth-first 
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traversal  of  a  portion  of  the  game  tree  and  is  space- 
efRcient  when  the  longest  distance  is  Stan¬ 

dard  techniques  to  solve  Biichi  games  involve  fix-point 
computation  [19],  and  requires  space  0{n)  no  matter 
what  the  longest  distance  is.  An  interesting  aspect  of 
our  algorithm  is  that  it  can  be  applied  to  all  the  games 
in  which  the  winning  condition  can  be  translated  into 
a  deterministic  Biichi  automaton,  as  for  the  formulas 
in  the  fragments  of  Ltl  we  have  studied  in  sections  3.1, 
3.2  and  3.3.  Then  we  combine  this  algorithm  with  the 
results  on  Ltl  generators  from  the  previous  section 
and  study  the  complexity  of  the  obtained  solutions. 

In  this  section  we  search  for  winning  strategics  of 
Playe7'o,  while  Playeri  will  be  our  adversary.  Con¬ 
sider  a  game  graph  G  and  a  subset  F  of  G  vertices. 
We  denote  by  11  the  set  of  plays  whose  last  state  is 
the  first  state  which  repeats,  that  is,  plays  of  the  form 
xo  ■  ■  -  Xii  such  that  xi,  =  Xi  for  some  0  <  i  <  h,  and 
for  all  0  <  i,j  <  h,  Xi  ^  Xj.  We  have  that  any  long- 
enough  play  in  G  has  a  prefix  which  is  in  If,  and  each 
of  the  plays  from  11  is  constituted  by  an  acyclic  prefix 
followed  by  a  loop.  Moreover,  we  denote  by  Ilf-  the 
set  of  jjlays  in  n  containing  a  state  from  F  in  their 
loop,  and  by  11/  the  set  of  plays  from  B  which  can  be 
constructed  using  the  strategy  /.  We  define  a  game 
{G,  F)jin  as  the  game  where  Player^  wins  from  a  state 
?/,  if  there  is  a  strategy  /  from  u  such  that  H/  C  11/.-. 
Since  Biichi  games  arc  memoryless,  we  have: 

Lemma  4.1  There  exifftft  a  winning  strategy  for 
Player^  from,  a  vertex  n  in  a  Biichi  game  (G.  F)  if 
a,nd  only  if  there  exists  a  winning  strategy  for  Player^ 
from  u  in  {G,F)fi„. 

Directly  from  the  definition  of  a  winning  strategy 
in  a  gauK’  (G,  F)/;„  ,  we  have  the  following  lemma. 
Lemma  4.2  Any  winning  strategy  f  for  Playci\)  in 
a  game  (G.F)iin  is  such  that  the  lenght  of  a  play  in 
11/  is  G(d),  where  d  is  the  lojigest  distance  of  G. 

By  the  above  lemmas,  there  is  a  decision  algorithm 
for  Biichi  games  which  explores  a  tree  whose  height  is 
the  longest  distance  of  the  game  graph. 

Theorem  4.3  Given  a  game  graph  G  luith  m  vertices 
and  longest  distance  d,  the  Biichi  game  (G,  F)  is  de¬ 
cidable  in  space  O(dlogm). 

Given  a  game  (G,  IL),  if  the  winning  condition 
W  can  be  translated  to  a  deterministic  Biichi  au¬ 
tomaton,  it  is  possible  to  use  the  algorithm  by  Lem¬ 
mas  4.1  and  4.2  to  decide  it.  In  particidar,  let  .4  be  a 
deterministic  Biichi  automaton  equivalent  to  winning 
condition  IT,  in  the  sense  that  the  language  accepted 
by  A  is  the  language  of  the  cu-words  satisfying  11'.  De¬ 
fine  G  X  .4  as  the  game  graph  whose  vertices  V''  x  Q, 


where  Q  is  the  set  of  A  states,  are  partitioned  accord¬ 
ing  to  the  V  partition,  and  from  a  vertex  {v,q)  it  is 
possible  to  reach  a  vertex  {v',  q')  by  taking  an  action  a 
if  and  only  if  A  enters  q'  from  q  by  reading  the  subset 
of  atomic  propositions  true  at  v  and  in  G  it  is  possible 
to  mov'e  from  v  to  v'  taking  the  action  a.  Let  F  and 
So  be  the  set  of  final  states  and  the  initial  state  of  A, 
respectively,  then  there  is  a  winning  strategy  in  the 
Biichi  game  {G  x  A,V  x  F)  starting  at  a  vertex  (u,  sq) 
if  and  only  if  there  is  a  winning  strategy  in  (G,  IT) 
starting  at  u. 

As  a  consequence  of  the  results  from  section  3  and 
the  above  argument.  Theorem  4.3  applies  to  games 
with  winning  condition  expressed  by  formulas  in  the 
Ltl  fragments  we  have  considered  so  far.  In  fact,  the 
following  theorems  hold. 

Theorem  4.4  Ltl(0,A)  games  are  PSPACE- 
complete. 

Proof.  Membership  in  PsPACE  is  a  consequence  of 
Theorems  3.3  and  4.3.  To  prove  PsPACE-hardness, 
we  can  reduce  the  satisfiability  of  quantified  boolean 
formulas  in  conjunctive  normal  form  to  deciding  the 
existence  of  a  winning  strategy  in  an  Ltl(0,  A)  game. 
This  also  shows  that  LTL(n,V)  games  are  PSPAC'E- 
hard.  Let  p  =  A\Xi. . . .  AnXn.  Ci  be  a  quantified 
boolean  formula  over  the  variables  xi,...,x,j.  Con¬ 
sider  the  Ltl(0,a)  formula  p'  =  Oa  over  the 
atomic  propositions  {cj , . . . ,  c,,, }.  The  game  graph 
G  is  defined  in  such  a  way  that  each  literal  corre¬ 
sponds  only  to  a  vertex,  a  path  of  the  game  tree  cor¬ 
responds  to  the  assignment  given  by  assuming  true 
the  literals  corres]/onding  to  its  vertices,  each  vertex 
is  labeled  with  the  conjuncts  which  contain  the  corre¬ 
sponding  literal,  and  a  strategy  corresponds  to  a  selec¬ 
tion  of  paths  fulfilling  the  requirements  of  quantifiers 
.4] , . . . ,  .4,,.  We  have  that  ip  is  satisfiable  if  and  only 
if  there  is  a  winning  strategy  in  the  game  {G,p').  I 

Theorem  4.5  Ltl(0,0,  A)  games  are  Exptime- 
complete. 

Proof.  By  Theorem  3.5,  Ltl(0,0,  A)  has 
exponentially-sized  deterministic  generators,  and 
hence,  membership  in  E.xptime  follows.  For  the 
lower  bound,  we  reduce  the  halting  problem  for 
alternating  linear  bounded  automata.  Wo  briefly 
sketch  the  construction.  Consider  a  Turing  machine 
M  that  uses  n  tape  positions  over  a  tape  alphabet 
r,  and  let  Q  be  the  set  of  control  states  that  are 
partitioned  into  Qo  and  Q\  corresponding  to  the  two 
players.  The  transitions  of  the  machine  are  of  the 
form  {q,a,q' ,a' ,  L/ R)  meaning  that  if  control  state 
is  q  and  current  symbol  is  cr,  then  the  machine  can 
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overwrite  the  current  cell  with  cr',  update  control 
state  to  q' ,  and  move  left  (L)  or  right  (R).  If  multiple 
transitions  are  applicable,  then  depending  on  whether 
the  current  control  state  belongs  to  Qq  or  Qi,  one  of 
the  two  players  gets  to  choose  the  transition.  The 
problem  of  deciding  whether  Player^  has  a  strategy 
to  reach  a  specified  control  state,  say  qh-,  is  Exptime- 
complete.  Given  such  a  machine  M,  we  build  a 
game  graph  Gm  follows.  For  every  tape  symbol 
a  and  position  i,  Gm  has  a  vertex  belonging  to 
Vi-  For  every  control  state  q,  tape  symbol  a  and 
position  i,  Gm  has  a  vertex  belonging  to  Vq 

if  q  is  in  Qo  and  to  Vi  otherwise.  For  every  control 
state  q,  and  symbol  cr,  Gm  has  a  vertex  and  a 

vertex  Vg^a,R,  both  belonging  to  Vi.  For  i  <  n,  there 
is  an  edge  from  to  every  There  is  an 

edge  from  to  every  Vq^„'^i.  For  every  transition 
{q,(T,q',cr',L/R)  of  M,  there  is  an  edge  from  every 
Vq,a,i  to  Vq'^ai^i^iR.  Finally,  every  has  an  edge 

to  every  Va',i-  The  intuition  is  that  Player^  chooses 
a  sequence  of  vertices  :  •  •  •  PtT„,n,  denoting  the 
tape  content,  followed  by  a  vertex  meaning 

that  current  control  is  in  state  q  with  head  reading 
symbol  a  in  position  i.  The  next  vertex  of  the  form 
'^q',(T',LlR  indicates  the  choice  of  the  transition  (and 
hence,  new  control  state  and  new  symbol  in  position 
i,  and  movement  of  the  head),  and  is  determined  by 
one  of  the  players  depending  on  whether  q  belongs 
to  Qo  or  Qi.  Playei'o  wins  if  either  the  control  state 
qh  is  encountered  or  Playeri  does  not  make  the 
choices  for  encoding  the  configuration  according  to 
the  intended  interpretation.  Assume  that  there  are 
enough  propositions  to  identify  each  vertex  uniquely 
by  a  state  predicate.  Then,  the  winning  condition  for 
Playero  is  a  top-level  disjunction  of  several  formulas 
that  use  only  eventualities  and  conjunctions.  For 
instance,  a  mistake  in  the  encoding  of  the  content  of 
i-th  tape  position  is  described  by  the  formula 

VO(rv.i  AO"-'+'  AO"+-  u.-v-.i) 

71  —  1  +  1  71  —  2+2  n+2 

^  ^  O  ^q,cr,i  ^  ^  ^q',a',L/R^ 

■ 

Theorem  4.6  Ltl(0,0,  A,V)  games  are  EXP.SPACE. 
Proof.  Directly  from  Theorems  3.7  and  4.3.  I 

5  Conclusions 

For  the  problem  of  solving  infinite  games  with  the 
winning  condition  specified  by  an  Ltl  formula,  we 


have  studied  the  impact  of  different  connectives  on 
the  complexity.  In  the  same  way  as  model  checking 
(or  satisfiability)  is  related  to  translation  from  Ltl  to 
nondeterministic  tu-automata,  solving  games  is  related 
to  translation  from  Ltl  to  deterministic  w-automata. 
We  have  established  that  the  longest  distance,  besides 
the  size,  of  the  automaton  produced  by  the  translation 
is  an  important  parameter.  The  results  are  summa¬ 
rized  in  the  table  of  Figure  2  for  various  fragments 
As  the  table  indicates  the  sources  of  complexity  for 
games  are  different  from  the  ones  for  model  check¬ 
ing.  The  matching  lower  bounds  for  the  games  in 
the  Ltl  fragments  Ltl(0,  A,V),  Ltl(0,0,  A,  V),  and 
LTL(n,  O,  A,  V)  are  open  problems,  while  the  results 
on  the  corresponding  deterministic  generators  are 
tight  with  respect  to  both  the  size  and  the  longest  dis¬ 
tance.  We  observe  that  LTL(n,  O,  A,  V)  and  thus  Ltl, 
formulas  may  not  have  deterministic  Biichi  generators, 
but  it  is  known  that  they  have  doubly-exponential  de¬ 
terministic  Streett  generators. 

Besides  the  classification  of  complexity  of  games  for 
various  fragments,  the  constructions  of  this  paper  can 
be  used  to  solve  synthesis  problems  for  certain  kinds  of 
formulas  more  efficiently.  In  particular,  the  fragments 
Ltl(<>,  a)  and  Ltl(0,  a,  V)  contains  many  commonly 
occuring  specifications  that  are  boolean  combinations 
of  safety  and  guarantee  properties,  and  for  these,  we 
have  provided  a  direct  construction  of  deterministic 
generators  in  a  modular  manner. 
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Normalization  by  evaluation 
for  typed  lambda  calculus  with  coproducts 

T.  Altenkirchf  P.  DybjerJ  M.  HofmannJ  P.  Scott^ 


Abstract 

We  solve  the  decision  problem  for  simply  typed 
lambda  calculus  with  strong  binary'  sums,  equivalently 
the  word  problem  for  free  cartesian  closed  categories 
with  binary  coproducts.  Our  method  is  based  on  the  se¬ 
mantical  technique  known  as  “normalization  by  evalua¬ 
tion  ”  and  involves  inverting  the  interpretation  of  the  syn¬ 
tax  into  a  suitable  sheaf  model  and  from  this  extracting 
appropriate  unique  normal  forms.  There  is  no  rewriting 
theory  involved,  and  the  proof  is  completely  construc¬ 
tive,  allowing  program  extraction  from  the  proof 


1  Introduction 

In  this  paper  we  solve  the  decision  problem  for  sim¬ 
ply  typed  lambda  calculus  with  categorical  coprod¬ 
uct  (strong  disjoint  sum)  types.  While  this  calculus 
is  both  natural  and  simple,  the  decision  problem  is  a 
long-standing  thorny  issue  in  the  subject.  Our  solu¬ 
tion  is  based  on  normalization  by  evaluation  (NBE) 
(also  called  “reduction-free  normalisation”)  introduced 
by  Martin-Lof  [ML75]  for  weak  typed  lambda  calcu¬ 
lus,  and  by  Berger  and  Schwichtenberg  [BS9 1]  for  typed 
lambda  calculus  with  /?r;-conversion.  The  technique  has 
been  further  refined  by  the  authors  and  coworkers  using 
category-theoretic  methods  [CD97,  AHS95,  CDS97].  It 
has  also  been  extended  to  other  systems,  such  as  System 
F  [AHS96].  As  shown  by  Berger,  Eberl,  Schwichten¬ 
berg,  and  Danvy  [BES98,  Da96],  NBE  techniques  yield 
fast  normalization  algorithms,  with  applications  in  inter¬ 
active  proof  systems  [BBSSZ98]  and  type-directed  par¬ 
tial  evaluation  [Da96,  Da98,  FilOl]. 

Here  we  show  how  to  considerably  extend  the  NBE 
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techniques  to  take  into  account  type  systems  with  strong 
sums.  The  NBE  method  involves  constructing  a  model 
M  and  effectively  “inverting”  the  evaluation  of  lambda 
terms  in  M  and  thereby  extracting  certain  unique  syn¬ 
tactic  normal  forms,  from  which  a  decision  procedure 
easily  follows  (we  outline  the  proof  below).  The  proof 
uses  no  rewriting  theory. 

Typed  lambda  calculi  with  (strong)  sum  types  arise 
very  naturally; 

•  In  programming  language  theory,  coproducts 
model  variant  and  enumerative  types.  The  added 
categorical  equation  for  coproducts  corresponds  to 
a  kind  of  uniqueness  for  pattern  matching  or  Case 
construction  [AC98,  Mit96,  GLT89]. 

•  In  proof  theory,  under  the  Curry-Howard  Iso¬ 
morphism,  terms  correspond  to  natural  deduction 
proofs  in  intuitionistic  propositional  {A,  V,  =>,  T} 
logic.  One  then  considers  terms  (proofs)  mod¬ 
ulo  certain  equations,  which  guarantee,  for  exam¬ 
ple,  that  the  formula  A  V  B  acts  as  a  coproduct 
type  (with  copairing),  as  well  as  including  the  the¬ 
ory  of  commutative  conversions  (cf  [GLT89],  pp 
80-81),  In  category  theoretic  terminology,  such 
lambda  theories  correspond  exactly  to  almost  bi¬ 
cartesian  closed  categories,  that  is,  cartesian  closed 
categories  with  nonempty  finite  coproducts  (gener¬ 
ated  by  a  set  of  atomic  types)  [LS86]. 

•  As  proved  by  Dougherty  and  Subrahmanyam 
[DS95],  a  Friedman  completeness  theorem  in  Set 
holds  for  cartesian  closed  categories  with  binary 
coproducts.  Therefore,  the  equality  we  decide 
is  the  natural  extensional  equality  on  proofs  in 
intuitionistic  propositional  logic  and  on  terms  of 
the  typed  lambda  calculus  with  sums. 

Much  of  traditional  lambda  calculus  theory  carries 
through  unscathed  when  we  add  products  (and  even 
weak  categorical  data  types)  to  the  simply  typed  case. 
Unfortunately,  the  addition  of  coproducts  is  consider¬ 
ably  more  subtle.  The  difficulties  with  adding  coprod¬ 
ucts  are  detailed  in  [Do93,  DS95]:  for  example,  the  ana¬ 
log  of  Statman’s  1 -Section  theorem  fails  in  the  presence 
of  coproducts,  confluence  (of  various  standard  rewriting 
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presentations)  fails,  and  the  proof  of  Friedman’s  com¬ 
pleteness  theorem  for  the  case  of  coproducts  uses  diffi¬ 
cult  and  involved  syntactical  arguments  [DS95]. 

A  decision  procedure  for  cartesian  closed  categories 
with  binary  coproducts  has  been  presented  in  Ghani’s 
thesis  [Gh95a]  (see  [Gh95b]  for  a  summary)  although 
the  proof  involves  intricate  rewriting  techniques  whose 
details  are  daunting.  Our  method  described  here  is  quite 
different  and  we  believe  conceptually  simpler. 

An  algorithm  for  type-directed  partial  evaluation  for 
a  call-by-value  typed  lambda  calculus  with  sums  has 
been  given  by  Danvy  [Da96,  Da98]  and  Filinski  [FilOl]. 
This  algorithm  uses  continuations  and  is  therefore  also 
quite  different  from  ours.  In  particular,  it  does  not  de¬ 
cide  equality  in  cartesian  closed  categories  with  binary 
coproducts. 

Like  Ghani  and  Dougherty  and  Subrahmamyam,  we 
only  consider  the  case  of  finite  non-empty  coproducts, 
that  is,  an  initial  object  (empty  type)  is  not  part  of  the 
structure.  We  conjecture  that  the  present  approach  can 
be  extended  to  full  bicartesian  closed  categories  includ¬ 
ing  initial  objects.  Flowever,  this  complicates  the  struc¬ 
ture  of  our  normal  forms,  and  wc  have  not  yet  com¬ 
pletely  checked  that  all  properties  hold  for  the  extended 
language. 

Outline  of  Proof 

Let  £  be  a  lambda  theory.  Our  aim  is  to  decide  if 

r  r,  =  c-2  :  A, 

that  is,  if  two  possibly  open  terms  ci  and  r-j  of  type  .4 
arc  equal  wrt  E,  where  F  is  a  type  environment  .  We 
associate  with  each  term  c  a  normal  form  nf(e).  In  this 
paper,  these  normal  forms  arc  not  themselves  terms,  but 
there  is  a  function  d  mapping  normal  forms  to  terms  in 
such  a  way  that  the  following  two  properties  hold  (cf. 
[CD97,  CDS97]): 

NFl  r  hf  d(nf(e))  =  e 

NF2  r  \-£  Cl  =  e-i  implies  nf(c;i)  =  nfjco). 

This  implies  that  F  ci  =  62  if  and  only  if 
nf(ei)  =  nf(e2),  so  that  comparing  normal  forms  will 
yield  a  decision  procedure  for  E. 

When  E  =  the  typed  lambda  calculus  with  Bip 
conversion,  the  authors  and  coworkers  showed  in 
[AHS95,  CDS97]  how  to  obtain  a  function  nf  by 
inverting  the  prcshcaf  interpretation  of  E.  One  defines 
two  natural  transformations  q'’'  :  |,4|  — >  NF(.4)  and 
u'^  :  NE(.4)  — )■  |.4],  where  NF(.4)  is  the  prcshcaf 
of  normal  forms  and  NE(.4)  is  the  prcshcaf  of  neutral 
terms  of  type  A  from  E.  Given  a  typing  judgement 
r  hf  e  :  .4,  where  T  =  Xi  :  .4i,...  ,.x„  :  ,4„,  we 


define 

nf(e)  =  q([Iel(u(lr))) 

where  If  is  the  sequence  (xj , . . .  ,  Xn)  and  wc  omit  type 
superscripts.  Since  |— ]]  is  an  interpretation,  wc  have  im¬ 
mediately  that  r  F  Ri  =  62  implies  |[ei]|  =  |r21.  and 
hence  NF2  follows  and  NFl  is  proved  by  induction  on 
e,  using  for  example  logical  relations. 

How  do  we  obtain  a  function  nf  when  wc  add  strong 
sums  to  E"!  The  problem  is  that  although  the  category  of 
prcshcavcs  has  coproducts,  a  difficulty  arises  when  wc 
try  to  invert  the  interpretation  of  coproducts.  The  maps 
q  and  u  are  defined  by  induction  on  types,  so  in  par¬ 
ticular  wc  need  to  define  in  terms  of  u'''"  and 

u""'' .  But  coproducts  in  presheaves  arc  calculated  point- 
wi.se;  so,  for  example,  how  do  wc  define  u'‘'“'^  ’''  (.s)  G 
([.4n]|-  +  I-4i|]-  for  a  neutral  term  F  F  s  :  .4o  -F  -4i7 
Since  variables  arc  neutral  terms,  wc  must  in  particular 
define  (x).  but  there  is  no  sensible  way  to  decide 

whether  this  should  be  in  the  first  or  the  second  di.sjunct. 

As  we  shall  show,  the  solution  of  this  problem  is  to  in¬ 
troduce  an  appropriate  Grothcndicck  topology  and  con¬ 
sider  the  sheaves  for  that  topology.  This  will  give  us  a 
way  to  “amalgamate"  the  contributions  of  u'^"  and  u"'' 
in  the  definition  of  u  , 

Plan  of  the  paper 

In  Section  2  wc  formally  define  the  typed  lambda  calcu¬ 
lus  with  strong  sums  and  show  how  it  yields  a  free  carte¬ 
sian  clo.sed  category  with  binary  coproducts.  In  Section 
.1  wc  introduce  our  normal  forms,  and  the  auxiliary  no¬ 
tions  of  pure  normal  forms  and  neutral  terms.  The  main 
idea  is  to  introduce  a  parallel  case  statement,  and  im¬ 
pose  variable  conditions  and  a  condition  of  redundancy- 
freeness  to  obtain  uniqueness  of  normal  forms.  In  Sec¬ 
tion  4  wc  introduce  the  category  of  constrained  envi¬ 
ronments.  where  objects  are  environments  (type  assig- 
ments)  equipped  with  cquational  constraints.  This  will 
serve  as  the  underlying  category  of  our  Grothendicck 
topology  which  is  defined  in  Section  5.  There  we  also 
introduce  the  category  of  sheaves  for  this  topology  and 
its  bicartesian  closed  structure.  This  yields  a  canonical 
interpretation  of  the  syntax  in  the  category  of  sheaves 
and  in  Section  6  wc  show  how  to  invert  this  interpreta¬ 
tion  and  obtain  normal  forms. 

2  Syntax 

We  follow  the  treatment  of  sums  in  natural  deduction, 
as  in  [GLT89,  pp  80-81].  For  case  of  presentation,  wc 
restrict  ourselves  to  one  base  type. 

Types  arc  given  by  the  grammar 

.4  ::=  o  1 .4  ^  .4  1 .4  X  .4  I  T  1 ,4  -I-  .4 
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Terms  are  given  by 

e  ::=  a;  |  Aa;.e  |  e  e  |  (e,  e)  [  7ro(e)  [  tti  (e)  |  ()  | 
to(e)  I  ti(e)  I  5  (x.e)  (x.e)  e 


FV(t)  for  the  set  of  free  variables  occurring  in  t.  We 
write  Guards(f)  for  the  set  of  guards  of  a  normal  form 
f ;  this  will  be  defined  below  as  part  of  the  rule  for  form¬ 
ing  normal  forms. 


The  Case  term  6  (xo-eo)  (xi.ei)  62  simultaneously 
binds  xo  in  eo  and  xi  in  ei. 

A  type  environment  F  is  a  finite  function  from  vari¬ 
ables  to  types.  The  typing  judgement  F  h  e  :  A  meaning 
e  has  type  A  in  type  environment  F  is  defined  in  the  ob¬ 
vious  way.  For  example,  the  rule  for  Case  is: 

(F,a;j  :  Aj  h  ei  :  F  F  e  :  Ao -I- Ai 

F  h  (5  (xQ.eo)  (a:i.ei)  e  :  C 

Definition  2.1  Equality  between  terms  in  environment 
F,  denoted  F  F  —  =  —  :  A,  is  the  least  (typed)  congru¬ 
ence  generated  by  the  following  rules  (omitting  types  to 
improve  readability): 


(0) 

(Ax.eo)ei  =  eo[ei/x] 

Iv) 

e  =  \x.ex,  ifx^FV(e) 

Projj 

tti{{eo,ei))  =  Ei 

SP 

e  =  (7ro(e),7ri(e)) 

Unit 

e  =  () 

Ini 

6  (xQ.eo)  (xi.ei)  (-2(62)  =  ei[e2/xi 

Coprod 

S  (xo.toixo))  {xi.ti(xi))  e  =  e 

Distrib 

e{S  (xo-eo)  (xi.ei)  62)  = 

S  (xQ.eeo)  (xi.eei)  62 

if  Xo,xi  ^  FV(e) 

X  e  dom(F)  F  Fne  s  :  o 

F  Fne  2:  :  F(x)  F  Fpnf  s  :  o 


F  FpNF  (}  :  T 


F  FpNF  fp  :  Aq 
F  FpNF 

F  Fne  t  :  Aq  x  Ai 
F  Fne  :  A, 


F  FpNF  h  '■  Ai 

:  Aq  X  Ai 

i  e  {0,1} 


F  FpNF  t  :  Aj 
F  FpNF  ii(f)  :  Aq  -t-  Ai 


iG  {0,1} 


F  Fne  s  :  A  B  F  Fpnf  t :  A 
F  Fne  st  :  B 


F,  a;:A  Fnf  t  ■  B 
F  FpNF  Ax.f  :  A  B 


where  in  the  last  rule  we  have  the  variable  condition  that 
X  G  FV(s)  for  each  s  G  Guards(f). 

We  have  two  rules  for  forming  normal  forms: 

(a)  ~  ^  and  Guards(f)  =  0 

i  i”NF  t  :  A 


We  will  refer  to  this  equational  theory  as  BiCCC.  The 
key  categorical  axiom  (Coprod)  is  dual  to  (SP)  and  guar¬ 
antees  uniqueness  of  the  co-pairing  aiTow  out  of  a  co¬ 
product.  BiCCC  entails  all  the  usual  commutative  con¬ 
versions  for  sums,  [GLT89],  pp.  80-81. 

It  can  be  shown  (cf.  [LS86,  CDS97])  that  the  free 
almost  bicartesian  closed  category  Bq  over  one  base  ob¬ 
ject  o  can  be  obtained  as  the  category  whose  objects  are 
type  environments  and  where  a  morphism  from  F  = 
x\  .  Ai , . . .  ,  Xjji  .  Ajji  to  A  —  yi  .  Bi , . . .  ,  y-^i  :  Bji  is 
a  sequence  of  terms  (ei , . . .  ,  e„),  modulo  BiCCC  equal¬ 
ity,  where  T  a  :  Bi.  Freeness  means  that  for 
each  BiCCC  B  and  object  |o]  £  B  have  a  unique 
structure-  and  equation-preserving  interpretation  functor 
[-I  -.Bo-^B. 


(b)  Let  M  =  {si , . . . ,  s„}  be  a  nonempty  finite  set  of 
neutral  terms  (so  we  assume  the  Sj  are  pairwise  dis¬ 
tinct).  For  each  f  :  M  s  {0, 1}  we  use  the  abbre¬ 
viation  T f  -  F,2:i:A^(^^j,  . . .  ,Xn:A'j^^^y  Define 

(F  Fne  Si  :  Aq  +  A5),g{p 
(F/  Fnf  tf  :  C’)/:m->{o,i} 

F  Fnf  C{M,  {xi  ■  ■■Xn-tj)f)  :  C 

and  Guards(F(AF,  {xi  ■  ■  ■  Xn-tf) /))  =  AI 

where  's  a  family  of  normal  forms 

satisfying  the  following  two  side  conditions: 

Variable-condition:  for  each  s  G  Guards(f/)  we 
have  {xi, . . . ,  a:„}  n  FV(s)  0. 


3  Normal  Forms 

Normal  forms  are  defined  simultaneously  with  pure  nor¬ 
mal  forms  and  neutral  terms.  Normal  (and  pure  normal) 
forms  are  not  genuine  terms,  but  defined  inductively  by 
the  clauses  below.  If  F  is  a  type  environment  we  write 
F  Fnf  t  :  A,  resp.  F  Fpnf  t  ■  A,  resp.  F  Fne  t  ■  A 
to  mean  that  expression  f  is  a  normal  form,  resp.  pure 
normal  form,  resp.  neutral  term  of  type  A.  We  write 


Redundancy-freeness:  The  family  {tf)f  is  not  re¬ 
dundant  at  any  Si  £  M,  where  (t/ )/  is  redun¬ 
dant  at  Si  whenever  for  all  g  :  M  \{si}  -> 
{0>1}>  hlsi^o]  and  are  equal  and 

neither  contains  the  variable  Xi. 

The  variables  xi , . . . ,  x„  become  bound  in  the  C- 
construct.  For  brevity  we  shall  often  use  the  al- 
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ternativc  notation  C{M,  (t'j) /),  where  the  range 
over  abstractions  xi ,  ...,Xn-tf. 

The  idea  is  that  C  performs  a  simultaneous  case  split 
over  all  the  “guards”.  For  example,  f/[s^o]  corresponds 
to  a  branch  to  be  taken  when  s  is  of  the  form  iq{x). 

Example  3.1  The  following  examples  show  how  the 
side-conditions  ensure  uniqueness  of  normal  forms  as 
computed  by  nf  in  Section  I .  For  simplicity  let  the  vari¬ 
ables  2  (possibly  with  indices)  in  the  examples  below 
have  type  o,  so  that  they  arc  normal  terms. 

1.  The  normal  form  of  Xw.6  (a;i.2o)  (a-'i-zi)  y  will 

be  C({t/},  (xi.f/)/)  where  =  Xw.Zi.  Note 

that  the  expression  Xiu.C{{y},{xi.tj)f),  where 
hv^i]  ~  violates  the  side  condition  for  (pure) 
normal  forms  of  A-form. 

2.  The  normal  form  of  the  term 

6  {x2.zoo)  {x2.zoi)  t/2) 

{xi.S  {x2.zin)  {x2.zn)  y-i) 

2/1 

will  be 

C'({?/l,?/'2},  {xiX2.ij)j) 

where  =  Zij.  Note  that  the  ex¬ 

pression  Ci{yi},  (:ri.C({iy2},  (-'ij T/,u/., )/.,)/, ))  i.s 
not  a  normal  form  since  it  violates  the  variable- 
condition:  .Tj  is  not  free  in  the  guard  y  >  of  the  nor¬ 
mal  form  C({iy2},  ('fiT/iu/J/o)- 

3.  The  normal  form  of  <5  {x.z)  [x.z]  y  will  be  z.  Note 
that  C{{y},  {x.z) /)  is  not  a  normal  form  as  {x.z) / 
is  redundant  at  y. 

4.  Note  however,  that  the  normal  form  of 
S  {z.z)  {z.z)  y  will  be  C{{y},{z.z)j)  which 
is  not  redundant  at  y  because  of  the  variable 
condition  in  the  definition  of  redundancy. 

Definition  3.2  The  function  d  mapping  F  h  v  t  :  .4  with 

G  {NF,PNF,NE}  to  terms  F  F  d(/)  ;  .4  is  defined 
in  the  following  way: 

•  d  commutes  with  all  the  term  formers  except  C  (in 
particular,  preserves  variables). 

•  d(C(M  U  {s},  (//)/))  =  5  (a:o-eo)  (I'fi-ei)  d(s), 
where  e,;  =  d(C(A/,  {tgi,^j])g)). 

It  is  easy  to  see  that  up  to  BiCCC  equality  this  docs  not 
depend  on  the  choice  of  the  witnessing  term  er  and  on 
the  order  of  the  guards. 


4  Neutral  constrained  environments 

Like  Dougherty  and  Subrahmanyam  [DS95]  and  Fiore 
and  Simpson  [FS99]  we  need  to  supply  our  type  envi¬ 
ronments  with  constraints.  These  will  be  the  objects  of 
a  category  of  constrained  environments  J\f,  where  the 
morphisms  will  be  injective  renamings.  The  constraints 
are  of  the  form  s  =  Li{xi)  and  express  which  branch 
a  certain  guard  s  takes.  This  is  the  idea  behind  our 
Grothendieck  topology  on  M:  a  “covering”  expresses 
ca.se-splitting.  This  use  of  Grothendieck  topologies  is 
closely  related  to  [FS99]  where  they  were  used  for  prov¬ 
ing  a  definability  result  for  a  language  with  coproducts. 

Definition  4.1  A  neutral  constrained  environment,  en¬ 
vironment  for  short,  is  a  pair  F  |  H  where  F  is  a  type 
environment  and  5  is  a  set  of  constraints  of  the  form 
s  —  /.o(a:o)  or  s  =  i]  (xi)  where  F  Fne  s  :  Aq  4- Ai  and 
xo  :  Aq  (resp.  x\  :  Aj)  is  contained  in  F  and  moreover, 

•  no  two  distinct  constraints  involve  the  same  neutral 
term,  for  example,  E  cannot  contain  s=io{xo)  and 

•  no  two  distinct  constraints  refer  to  the  same  vari¬ 
able,  for  example,  E  cannot  contain  s  =  io(3^o) 
and  .s'  =  lo(xo)  unless  s  and  s'  arc  identical. 

A  morphism  from  environment  A 1 5'  to  envi¬ 
ronment  F I E  is  given  by  an  injective  function 
a  :  dom(F)  — >■  dom(A)  satisfying  A(cr(x))  =  F(.'r) 
and  (T{.‘i)—i i{a{x))  is  in  4*  for  each  constraint  s=/,(.t) 
in  E.  In  this  way  the  environments  form  a  category  AC 
in  which  composition  is  composition  of  functions. 

If  A  extends  F  and  4'  extends  E  then  the  inclusion 
a  :  dom(F)  ^  dom(A)  defines  a  morphism  from  A  |  T* 
to  F  I  E  which  we  call  a  projection. 

We  arc  interested  in  studying  equality  of  terms  rela¬ 
tive  to  a  neutral  constrained  environment.  The  following 
definition  is  due  to  [DS95]. 

Definition  4.2  Let  F  |  E  be  an  environment  and  rf  be  a 
list  of  dummy  terms  of  the  same  length  as  E  and  of  ap¬ 
propriate  (to  be  explained)  type.  A  (variable-binding) 
type  environment  ^[  ]  is  defined  as  follows. 

c"'i®[]  =  [] 

6  (.•ro.Cl'“[])  (.Ti.dj.Ti)  d(s) 

^d.do  ^  ‘ 

S  {x.Q.doXa)  (:ri.C^'~[])  d(.s) 

Note  that  C-  “[el  binds  all  variables  mentioned  in  E. 
d  ^  ^ 
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Given  two  terms  F  h  ei  C  and  F  h  62  :  C  we  write 
F  I  E  I-  d  =  62  :  C  to  mean  that 

F'hC'^J=[ei]  =  C^J  =  [e2]:C 

in  the  theory  BiCCC  for  all  appropriate  F'  and  d.  Here 
d  must  be  chosen  such  that  the  terms  C-  ^  [cj]  are  type 
correct  and  F'  is  obtained  from  F  by  removing  the  vari¬ 
ables  mentioned  in  H  and  possibly  adding^any  extra  free 
variables  occurring  in  the  dummy  terms  d. 

Remark  4.3  Note  that  ordinary  type  environments  have 
no  constraints  but  it  follows  immediately  from  the  above 
definition  that  F|0  F  ei  =  62  implies  F  h  ej  =  62. 

5  Sheaves  over  environments 

We  consider  the  functor  category  Af  Sets^  of 
presheaves  and  natural  transformations  between  them. 
We  recall  the  following  definitions  of  the  structure  of  Af. 
A  presheaf  is  given  by  a  family  of  sets  Fj- 1  =  indexed  by 
environments  and  for  each  morphism  u  :  A  |  F  |  E 
a  function  ■  Fy  \  s  |  <!'  such  that  Fi  =  1  and 

Ftror  =  Fr^'Fa.  If  o  €  Fp  1 5  we  may  write  for 

F„{a)  in  case  a  is  clear  from  the  context.  This  notation 
will  in  particular  be  used  when  is  a  projection. 

A  natural  transformation  from  presheaf  F  to 
presheaf  G  is  given  by  a  family  gr\s  of  maps 
.9r  I H  •  Fy  I  =  — ^  Gf  I  ^  such  that  Gcr"gy  \  s  —  9a  |  'ii"F ^ 
(naturalit)).  If  a  £  Fr|E  we  may  write  g{a)  for 
gr  |E(a)-  Naturality  then  reads  9(a)fA  I't  =  9(a['r|H)- 
As  any  category  of  presheaves,  the  category  Jf  is  bi¬ 
cartesian  closed,  that  is,  supports  the  interpretation  of 
the  type  formers  T,  x ,  =»,  -b,  (and  F).  If  we  denote  the 
interpreting  presheaves  with  the  same  symbols  thus  writ¬ 
ing  e.g.  F  =b  G  for  the  function  space  of  presheaves,  we 
have  the  following  explicit  constructions  of  the  type  ior- 
mers  m  bets  : 

TriH  =  {()} 

(FxG)riE  =  F'rjHxGriE 

(F-l-G)r|E  =  ^r|E  +  Gr|E 

(F=>G)r|E  =  .^(.V(-,F|E)xFG) 

However,  as  we  mentioned  in  the  introduction,  we 
are  not  able  to  obtain  normal  forms  by  inverting  this 
presheaf  interpretation.  Instead  we  shall  consider  the  in¬ 
terpretation  of  terms  in  the  category  of  sheaves  over  a 
certain  topology,  and  show  that  this  can  be  inverted. 

Recall  that  the  basis  of  a  Grothendieck  topology  is 
a  collection  of  basic  coverings,  satisfying  the  axioms 
of  identity,  transitivity,  and  stability  [MM92,  p.l  1 1].  A 
covering  of  an  object  F  |  E  in  Af  is  here  a  family  of  ar¬ 
rows  with  codomain  F  |  E.  Since  the  category  Af  does 
not  have  pullbacks  in  general,  we  use  a  modified  axiom 
of  stability  [MM92,  p.l 56].  Moreover,  like  [FS99]  we 


only  require  that  the  identity  is  a  singleton  covering,  not 
that  all  isomorphisms  are  coverings. 

Definition  5.1  The  basis  K  for  a  Grothendieck  topol¬ 
ogy  on  Af  is  inductively  generated  by  the  following 
clauses: 

•  The  identity  covering  containing  only  the  arrow 
Ip  I  =  is  a  basic  covering  of  F  j  E. 

•  If  F  Fne  s  :  Aq  +  Ai  and  s  is  not  mentioned  in 
E,  and  if  the  family  of  projections  from  (Fj  |  E^); 
forms  a  basic  covering  of  F,a;o  :  Ao|E,s  =  lo{xo) 
and  the  family  of  projections  from  (Fj  |  Ej)j  forms 
a  basic  covering  of  F,  ari  :  Ai  |E,  s  =  ii  (xi ),  then 
the  disjoint  union  of  the  projections  from  (Fj  |  Ej)i 
and  (Fj  |  Ej)j  forms  a  basic  covering  of  F  |  E. 

The  general  concept  of  sheaves  for  Grothendieck 
topologies  need  not  be  presented,  since  it  here  spe¬ 
cialises  to  the  following  rather  digestible  definition: 

Proposition  5.2  A  presheaf  F  is  a  sheaf  for  K  iff 
wheneverT  \  E  is  covered  by  F,  xo:Ao  |  E,  s=to{xo)  and 
F,xi:Ai  I E,  s=ii  (xi),  that  is,  F  Fne  s  :  Ao  -b  Ai  and 

fo  G  Fy^xo-.Ao\B,s=io{xo) 

/l.  G  ;,4i  I  5,s=ii  (.t  1 ) 

then  there  exists  a  unique  /  G  F’riE  (called  pasting) 
such  that 

/fr,xo-..4o  1  H,s=io(a:o)  ~ 

/  (r.xi  :Ai  I  H,s=ii  (xi )  ~ 

The  following  result  follows  from  general  properties 
of  Grothendieck  topologies  and  will  therefore  not  be 
proved,  see  [MM92]  for  an  exposition. 

Proposition  5.3 

].  The  terminal  object  in  Af  is  a  sheaf 

2.  ifF,  G  are  sheaves  sois  FxG  ( cartesian  product), 

3.  if  G  is  a  sheaf  and  F  is  a  presheaf  then  F  G  is 
a  sheaf  (function  space) 

4.  for  each  presheaf  F  there  exists  a  sheaf  aF  (the 
associated  sheaf  or  sheafification)  and  a  natural 
transformation  r]  :  F  aF  such  that  whenever 
G  is  a  sheaf  and  f  ■.  F  -A  G  then  there  exists  a 
unique  p  :  aF  -A  G  with  /F-g  =  /.  In  other 
words,  the  sheaves  form  a  reflective  subcategory  of 

Af, 

5.  The  sheafification  functor  a  preserves  binary  prod¬ 
ucts. 


307 


6.  if  F,  G  are  sheaves  the  coproduct  F  +  G  is  in  gen¬ 
eral  not  a  sheaf  but  a{F  +  G)  is  the  coproduct  of 
F  and  G  in  the  suhcategory  of  sheaves. 

7.  if  u,v  :  F  G  and  F,  G  are  sheaves  then  the 
equaliser  ofu  and  v  is  a  sheaf. 

Wc  write  F  |  E  Fnf  t  .  A  io  mean  that  F  Fnf  t  :  A 
and,  moreover,  none  of  the  neutral  terms  mentioned  in 
E  is  contained  in  Guards(i).  Intuitively,  this  is  because 
no  case  split  is  ever  needed  for  a  guard  whose  value  is 
already  known  through  the  environment.  Note  that  there 
is  no  need  to  define  F  |  E  Fne  t  :  A  and  F  |  E  t  : 
A,  since  all  guards  inside  neutral  and  pure  normal  terms 
include  variables  bound  by  A’s.  Hence  the  constraints  in 
E  cannot  affect  t. 

For  a  type  A  we  define  the  presheaves  NF(.4), 
PNF(>1),  NE(yl),  Term(,4)  as  follows: 


NF(,4)r|3  = 

PNF(.4)r|H  = 
NE(,4)r|H  = 

Term(.4)r|H  = 


{t  I  F  I  E  t  ■  -4} 
{f  I  F  Fp.xF  t  :  ,4} 

{t  I  FKxk.s:.4} 

I  F|Eh«:.4}/~H 


where  f.  ~i-  t'  stands  for  F  |  E  h  f  =  P  :  .4. 

If  (T  ;  A  I  — >  F  I  .r.  and  F  |  .z.  h\f.;  t  :  .4  then 
NE(,4)^(f)  e  NE(,4)^H^  is  defined  by  replacing  each 
free  variable  x  in  f.  by  cr(.r).  The  morphism  parts  Tcrni,^ 
and  PNF,t  arc  defined  analogously. 

II  <  £  NFf  I  =  (.4)  then  NFf,(f)  is  defined  by  first  re¬ 
placing  each  free  variable in  t  by  rr{.r)  and  then  plug¬ 
ging  in  all  the  constraints  mentioned  in  $  by  repeat¬ 
edly  performing  the  following  atomic  restriction  oper¬ 
ation  (an  analogous  operation  appears  in  Ghani's  thesis 
[Gh95a]  under  the  name  “first  and  second  residue”). 
Definition  5.4  Let  t  £  NF(C)f|h  and  F  I-,\f  .s  : 
.4o  -I-  .4i.  Then  wc  define  the  restriction 
ol  t  to  F,.t;  :  .4,|E,  .s'=/.,(.r,)  (along  the  projections)  as 
follows. 


f[.s:=r,(;r)]  =  p  if  .s  ^  Gunrd.s(/) 

C(Mu{.s},(f/)y)[,s:=r,(.r,)]  =  ),) 

where  C"^  computes  a  normal  form  to  be  defined  be¬ 
low.  Note  that  we  cannot  simply  replace  by  C  be¬ 
cause  the  set  of  guards  can  become  empty  upon  plug¬ 
ging  in  a  constraint,  new  redundancies  may  be  created, 
and  the  variable  conditions  may  be  violated.  Wc  de¬ 
fine  {(})  to  be  t  and  C{M  U  {s}.  (t/)/)  to  be 

To  compute  (xo.to)  (.xi.p)  s  wc  first  check 
whether  p  depend  on  x,  and  arc  different  (sec  the 
definition  of  redundancy).  If  not,  wc  return  to{=  ti),  or 
otherwise,  we  return  C({.s}  U  Mq  U  Mi  ,  tg),  where 

=  {s;  e  Guard.s(p)|.T,  ^  FV(.s,)} 


for  i  =  0, 1,  and  the  family  tg  is  adjusted  accordingly. 

Proposition  5.5  d  defines  natural  transformations 

NF(.4)  Term(.4),  PNF(.4)  Terin(.4), 

NE(.4)  ->•  Term(.4). 

If  /  :  S(A,  F)  is  a  morphism  in  the  free  BiCCC  B, 
that  is,  a  sequence  of  terms  in  type  environment  A,  then 
[<]  7-^  [ft]  defines  a  natural  transformation  Tcrm(/)  : 
Term(A)  ->  Term(F).  This  makes  Term(-)  a  functor 
from  B  to  .V'  preserving  T  and  cartesian  products. 

Proposition  5.6  The  presheaf  Term(.4)  is  a  sheaf 

Proposition  5.7  The  presheaf  NF(.4)  is  a  sheaf  and 
is  isomorphic  to  the  shcafification  o(PNF(.4))  of 
PNF(.4)  with  the  embedding  q  :  PNF(.4)  NF(.4) 

given  by  qy\^{t)  =  t. 

If  F  F  s  :  .4o  -I-  .4] ,  then  the  pasting  of  two  normal 
forms  p  £  NF(.4)F,.r.:.-i,|E..5=(,(;r,)  ■s  the  normal  form 

<j'‘f(.T„.to)(.r..ti)s£XF(.4),-|H. 

Let  us  write  S/((.V)  for  the  full  subcategory  of  .V 
consisting  of  the  sheaves.  Wc  know  from  Prop.  5.3  that 
Sh(.\  )  is  a  BiCCC.  Since  the  category  Bo  of  sequences 
of  types  and  terms  is  a  free  BiCCC  there  is  a  unique 
interpretation  functor  |-])  :  Bo  ->  Sh{.\').  determined 
by 


lol  =  .\F(o) 

Concretely,  this  functor  is  given  by  defining  a  canonical 
BiCCC  structure  on  Sti{.\'). 

6  Inverting  the  interpretation  function 

Wc  will  now  define  natural  transformations 

q-'  :  1.4]  ^  .\F(.4) 
u-'  :  .\E(.4)  ->  [.4] 

in  such  a  way  that  for  a  term  F  h  r  :  .4, 

nf(r)'=  qi'(H(ui:(lr))) 

will  satisfy  NFI : 

•  q"  :  XF(o)  — >  -XF(o)  is  the  identity  function. 

u"  :  XE(«)  — >•  XF(o)  is  the  injection  from  neutral 
terms  to  normal  terms  given  by  the  obvious  term- 
formation  rules. 

•  q^  :  T  — r  XF(T)  is  the  constant  function  return¬ 
ing  the  normal  form  (). 

u^  :  XE(T)  — >  T  is  the  constant  function  return¬ 
ing  the  clement  ()  £  T.  (As  before  wc  u.sc  the  same 
signs  for  corresponding  syntactic  and  semantic  no¬ 
tions.) 
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•  q^oxAi  _  pair"^o(q^o  x  q'^')  where  pair”*^  : 
NF(ylo)  X  NF(Ai)  ->  NF(Ao  x  Aj)  is  the  unique 
map  satisfying  pair"^(fi, ^2)  =  (^1,^2)  for  pure 
normal  forms  This  map  exists  by  Proposi¬ 

tion  5.7  and  the  fact  that  a  preserves  products. 

u^|>5^^(s)  =  (u^^H(7ro(a)),ui^j3(7ri(s))) 


Proposition  6.1  In  order  to  establish  NFl,  that  is,  e  = 
d(q"^(|e](u(lr)))  for  F  h  e  :  ^  we  define  a  family  of 
subsheaves  C  [[A]]p|3  x  Term(yl)r|E.  such  that 

(i)  For  all  a  G  |[^]p  |  =  and  F  h  e  :  A.- 

ai?p  I  F  I  E  h  d(qp  1 2;(a))  =  e 


•  Let  0  e  lA  ^  5]r|2  =  7^(A^(-,F|E)  x 
lA} ,  IB]).  Then 

qriH^W  = 

where  a  is  the  projection  from  F,  x  :  j4|E  to  F  |  E. 
Here  A"^x.C(M,  (xi  . .  .Xn-tf)f)  is  obtained  by  di¬ 
viding  M  into  two  sets,  Mq  which  contains  the 
guards  which  do  not  depend  on  x,  and  Mj ,  which 
contains  the  guards  which  do.  Then  we  return 

C{Mq  fxi  ...  XriQ  .Xx.C  {Ml ,  (xi  .  .  .  Xfii  ‘t/oU/i  )/)  ))/o  ) 


Compare  also  example  1  in  3.1. 

Let  s  G  NE(2l  B)r|E-  Then  u^jtS(s)  G 
Ij4  =>  B]p  I  =  is  defined  by 

(u^rl^(s))A|.p(a,a)  = 

where  cr  G  A^(A  |  $ ,  F  |  E)  and  a  G  l^]^  I  ,j,. 

•  is  the  unique  map  (arising  from  the  coprod¬ 

uct  property  of  |Ao  -I-  Ai])  satisfying 

q^°+^'(t^'’(a))  =  tS''(q'^o(a)) 

q‘^0+^1  =  t"*^(q^'(6)) 

Here  are  the  coproduct  injections  in  Sh{Af) 

and  :  NF(i4o)  — >  NF(^o  +  ^1)  is  the  unique 
map  satisfying  iQ^(t)  =  io(t)  for  pure  normal  form 
t :  Aq.  Similarly  for  df . 

To  construct 


u^o+>ii  g  ^  ^  ^ 


considers  G  NE(ylo -f  Ai)p |  =:  either s  =  <.0(2^)  € 
E  in  which  case  we  put  /p|h(s)  =  fo^(upj’=(a:)), 
or  s  =  Li{y)  G  E  and  we  put  /p|h(s)  = 
t|*’(up  I  ^(y)),  or  s  is  not  mentioned  in  E  in  which 
case  we  define  /p  |  h(s)  as  the  unique  pasting  of 


uq 


def 


sh  / 


,sh/ 


ai  ~  i' 


^0 

r,x:^o  I  S,s=to{x) 
FjiiAi  I  S,s=ti  (x) 


(a:)) 

ix)) 


It  follows  by  straightforward  calculations  that  all  these 
are  indeed  natural  transformations. 


(ii)  For  all  sG  NE(2l)p|H 

u^|3(s)B^|Hd(s) 

We  can  extend  R  to  type  environments  by  letting 

g.  fi  for  1  < 
imilarly,  we 

can  extend  q  and  u  to  type  environments  as  well. 

Proposition  6.2  (Logical  Relations  Lemma)  If 

r  \-  e  :  C  and  a  i?p  |  -  /  then 

lel(a)  e[/7f], 

where  x  are  the  variables  in  F. 

Theorem  6.3  The  equational  theory  BiCCC  is  decid¬ 
able. 

Proof.  The  above  shows  that  the  normalisation  function 
nf  satisfies  NFl,  because  by  (ii)  and  d(lp)  =  Ip,  we 
know  that 


(ai , . . .  ,  dn)  Bp  1 2  (/i , 

i  <  n,  where  F  =  a:i  : 


. . .  ,  /„)  iff  Oi  Bpj 

Ai  j . . .  Xfi  .  A^ .  S 


Ur(lr)-Rf  Ip 

Hence  by  Proposition  6.2,  we  know  that 

[el(uf(lr))Bf?e 

Hence,  by  (i)  (cf.  Remark  4.3) 

FFd(nf(e))  =  d(q^(IelK(lp))))=e 

As  we  pointed  out  in  the  introduction  NF2  holds  auto¬ 
matically,  and  hence  it  follows  that 


F  h  ei  =  62  <=>  nf(ei)  =  nf(e2) 

This  yields  a  decision  procedure  since  equality  of  nor¬ 
mal  forms  is  decidable.  (Note  that  when  writing  the  al¬ 
gorithm  we  represent  the  finite  set  of  guards  as  a  list 
or  a  tree,  so  that  normal  forms  are  only  unique  up  to 
the  ordering  of  the  guards.)  Furthermore,  the  interpre¬ 
tation  in  Sh{J\f)  as  well  as  the  definition  of  q,u  are 
clearly  algorithmic.  In  fact,  the  whole  development  can 
be  formalised  in  extensional  Martin-L6f  type  theory  us¬ 
ing  standard  methods  for  formalizing  category  theory 
in  Martin-L6f  type  theory.  This  would  be  one  way  of 
demonstrating  explicitly  that  all  functions  we  construct 
by  abstract  mathematical  means  are  computable.  □ 
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Strong  Normalisation  in  the  Tt-Calculus 

(Extended  Abstract) 


Nobuko  Yoshida  *  Martin  Berger  *  Kohei  Honda  * 


Abstract 

We  introduce  a  typed  7t-calculus  where  strong  normali¬ 
sation  is  ensured  by  typability.  Strong  normalisation  is  a 
useful  property  in  many  computational  contexts,  including 
distributed  systems.  In  spite  of  its  simplicity,  our  type  dis¬ 
cipline  captures  a  wide  class  of  converging  name-passing 
interactive  behaviour.  The  proof  of  strong  normalisability 
combines  methods  from  typed  k-calculi  and  linear  logic 
with  process-theoretic  reasoning.  It  is  adaptable  to  systems 
involving  state  and  other  extensions.  Strong  normalisation 
is  shown  to  have  significant  consequences,  including 
finite  axiomatisation  of  weak  bisimilarity,  a  fully  abstract 
embedding  of  the  simply-typed  X-calculus  with  products 
and  sums  and  basic  liveness  in  interaction. 

Strong  normalisability  has  been  extensively  studied  as  a 
fundamental  property  in  functional  calculi,  term  rewriting 
and  logical  systems.  This  work  is  one  of  the  first  steps  to 
extend  theories  and  proof  methods  for  strong  normalisabil¬ 
ity  to  the  context  of  name-passing  processes. 

1.  Introduction 

Background  The  formal  study  of  types  in  programming 
languages  and  computational  calculi  has  led  to  the  under¬ 
standing  that  types  can  ensure  a  wide  range  of  desirable 
computational  properties,  ranging  from  error-free  execu¬ 
tion  to  logical  specification  of  program  behaviour.  One  im¬ 
portant  property  in  this  context,  widely  found  in  typed  X- 
calculi,  is  strong  normalisation  (SN),  which  says  that  com¬ 
putation  in  programs  necessarily  terminates  regardless  of 
evaluation  strategy.  This  is  interesting  from  a  logical  view¬ 
point  especially  because,  by  the  correspondence  between 
proofs  and  programs,  SN  of  certain  X-calculi  implies  con¬ 
sistency  of  the  corresponding  logical  systems.  For  this  rea- 

*  Department  of  Mathematic.s  and  Computer  Science,  University 
of  Leicester,  UK.  E-Mail;  nyll@mcs ,  le.ac  .uk.  ‘Department  of 
Computer  Science,  Queen  Mary,  University  of  London,  E-Mail: 
{martinb,  kohei}@dcs. qmw.ac.uk.  Partially  supported  by  EPSRC 
grant  GR/N/37633. 


son  functional  calculi  and  logics  have  been  the  main  focus 
in  the  study  of  strong  normalisability  so  far. 

The  significance  of  SN  is,  however,  not  limited  to  this 
traditional  setting.  SN  is  also  interesting  in  the  context 
of  communicating  processes.  As  an  example,  consider  a 
distributed  client-server  interaction:  when  a  client  requests 
some  service,  s/he  may  naturally  wish  the  computation  on 
the  server’s  side  to  terminate  and  return  an  answer.  SN 
is  thus  a  basic  requirement  for,  say,  interaction  between 
banks  and  their  customers.  As  another  example,  the  re¬ 
source  preservation  guaranteed  by  SN  has  been  one  of  the 
main  reasons  for  Gunter  and  his  colleagues  to  develop  their 
typed  programming  language  for  active  networks  (PLAN) 
[15,33]  on  the  basis  of  a  simply  typed  X-calculus.  Such 
languages  require  primitives  for  communication  and  con¬ 
currency.  This  suggests  a  systematic  effort  to  extend  the 
accumulated  theories  of  functional  SN  types  to  the  realm  of 
interactivity  is  a  worthwhile  endeavour. 

We  arc  thus  motivated  to  reposition  and  study  strong 
normalisability  in  the  context  of  process  theory.  In  par¬ 
ticular,  is  there  a  basic  typed  process  calculus  in  which 
strongly  normalising  functional  calculi  are  faithfully  em¬ 
beddable?  By  faithful,  we  mean  that  typability  of  the  en¬ 
coding  automatically  ensures  strong  normalisability  of  the 
source  calculus.  More  ambitiously,  can  we  obtain  exact  se¬ 
mantic  correspondence,  including  full  abstraction  and  full 
completeness?  Obtaining  affirmative  answers  to  these  ques¬ 
tions  would  not  be  of  mere  theoretical  interest:  as  typed 
X-calculi  offer  a  basic  theory  of  procedure  calls,  a  funda¬ 
mental  abstraction  in  programming,  embeddability  of  SN 
functional  calculi  would  capture  interactive  behaviour  pow¬ 
erful  enough  to  involve  non-trivial  procedural  calls  while 
maintaining  SN.  Exploration  of  strong  normalisability  in 
this  broader  context  might  also  shed  new  light  on  typed 
functional  computation  itself. 

The  present  work  is  a  trial  in  this  direction,  introduc¬ 
ing  a  typed  7i-calculus  in  which  the  first-order  strongly  nor¬ 
malising  X-calculi  are  fully  abstractly  embeddable.  The 
type  discipline  simply  adds  the  minimum  form  of  causal 
chains  to  the  system  introduced  in  [8]  where  we  established 
a  fully  abstract  encoding  of  PCF.  This  small  addition  radi- 
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cally  changes  the  class  of  typable  process  behaviour,  turn¬ 
ing  possibly  diverging  eomputation  into  a  strongly  normal¬ 
ising  one.  As  would  be  imagined  by  the  embeddability 
of  typed  ^-ealeuli,  the  proof  of  SN  is  non-trivial,  defying 
naive  struetural  induetion.  We  adapt  methods  developed  for 
strongly  normalising  \-ealculi  [6,13,37],  eombined  with 
process-algebraic  reasoning  [8, 30, 32, 36, 40],  As  far  as  we 
know,  this  is  the  first  time  a  compositional  principle  for  en¬ 
suring  SN  has  been  established  for  name  passing  processes 
with  non-trivial  use  of  replication.  The  proof  method  for 
SN  is  applicable  to  extensions  of  the  presented  formalism. 
In  the  following,  we  outline  key  technical  ideas  and  relate 
our  work  to  the  existing  literature. 

The  7i-Calculus  Following  [8],  we  use  an  asynchronous 
variant  of  the  n-calculus  [10, 19];  computation  in  this  cal¬ 
culus  is  generated  by  interaetion  between  processes. 

x(y).P|J(v)  ^  F{v/y} 

Here  y  denotes  a  potentially  empty  vector  V|...v„,  |  de¬ 
notes  parallel  composition,  x(y).P  is  input,  and  x(v)  is  asyn¬ 
chronous  output.  Operationally  this  reduction  represents 
the  eonsumption  of  an  asynchronous  message  by  a  recep¬ 
tor.  The  idea  extends  to  a  receptor  with  replication 

!,.(y).F|.v(v)  ^  !.v(y).F|P{v/y}, 

where  the  replicated  process  remains  in  the  configuration 
after  reduction.  As  a  simple  example  of  a  process,  first  con¬ 
sider  the  fonvan/cr  agent  Fv{ah) 

Fw{cih)  =  la{.x).h{.\) 

which  repeatedly  inputs  a  value  at  ci  and  outputs  it  imme¬ 
diately  at  h.  As  another  example,  the  following  is  a  client 
which  requests  at  a  to  have  returned  a  value  via  a  private 
name  c 

a{c)c{y).P 

where  a{c)c{y).P  stands  for  {vc){a{c)  \  c{y).P)  with  (vr) 
being  a  restriction  operator.  Using  these  agents,  R  below  is 
a  simple  but  interesting  example  of  livclock 

R  =  Fv{aa)\a{c)ciy).P 

since  R  cau.scs  an  infinite  reduction  sequence  and  the  recep¬ 
tor  c{y).P  waits  forever  for  an  answer  at  c.  In  an  untyped 
setting,  R  is  equal  to  a{c)c{y).P  up  to  asynchronous  bisim- 
ilarity,  but  the  two  are  quite  dilferent  regarding  resource 
consumption.  The  next  example  shows  how  subtleties  arise 
through  new  link  creation  of  the  n-calculus. 

a{.x).Fw{hx)  I  a{c)Fw{ch)  |  h 

After  a  one  step  reduction  via  a,  wc  obtain  Fw(/>f)  |Fw(r77)  |/.7 
which  exhibits  divergence. 


Type  Discipline  for  SN  The  type  di.sciplinc  of  this  pa¬ 
per  is  a  simple  refinement  of  [8].  Concretely,  the  system  is 
based  on  two  central  ideas: 

•  Linear  t}pes  [12,  26,  27, 40],  which  ensure  that  a  chan¬ 
nel  is  u.scd  exactly  once  for  inpul/output  and,  for  a 
replicated  channel,  an  input  occurs  exactly  once  and 
output  occurs  zero  or  more  times  [8,  24, 29,  32,  36]. 

•  Action  types  with  causality,  where  causality  is  repre¬ 
sented  by  edges  in  a  directed  graph  whose  acyclicity 
cmsurcs  the  absence  of  circular  dependencies  [26, 27, 
40].  Transmission  of  causality  is  controlled  by  a  form 
of  cut  elimination  in  action  types. 

Let  us  illustrate  thc.se  points  by  examples.  First,  Fv{ah)  is 
typed  as  follows,  assuming  an  appropriate  environment  F. 

r  H  Fv{ah)  t>  \a  —>  'lb 

Here  \a  — >  ?/;  indicates  that  the  process  repeatedly  inputs 
at  a  and  then  outputs  at  h.  Cut  elimination  occurs  between 
input  and  output  with  the  same  name.  For  example,  given 
an  appropriate  base  F,  wc  can  type  (®  being  di.sjoint  union): 

r  i-  Fw(u|c)  I  Fv{a2c)  \  Fw((7?)  t>  Irq -->?/!  ®  lur-^'lh®  !(■->?/; 
r  I-  '.u(.x).(h{.x)  \h{.x))  \  \h{\).{c{.x}]c{.x})  >  (In  ->  7c)  ®  (!/>->?c) 

We  can  detect  a  cyclic  dependency  such  as  Fv{ah}  \  Fw(/;«) 
by  looking  at  their  types  \a  ’Ih  and  !/;  ‘la  [20, 24. 40], 

Proving  SN  for  the  n-CalcuIus  To  prove  SN  for  typable 
processes,  the  first  idea  would  be,  in  the  light  of  the  previ¬ 
ous  examples,  to  show  that  reduction  steps  follow  a  non¬ 
circular  ordering  on  free  channels,  e.g.  the  reductions  of 
?/(r)|Fw(A/r)|Fw(/;c)  proceed  at  a.  h  and  c  in  this  order,  but 
in  <7(i-)|Fw(«ft)jFw(/w)  arc  repeated  between  a  and  h.  How¬ 
ever.  due  to  creation  of  new  links  and  replication  of  terms, 
both  crucial  Icatures  of  7i-calculi,  such  reasoning  is  infeasi¬ 
ble.  at  least  in  its  naive  form.  Consider  the  procc.ss 

!c;(.v).(v(v,)|,v(v2))|A(c)Fw(c/r)  |  !/;(.v).(f7(.v)|A(.v))  (1) 

which  has  type  Ia®  \h.  The  process  owns  reductions  first  at 
A.  then  at  h.  then  at  a  again.  Further,  the  number  of  redexes 
increases  exponentially  in  its  course,  but  the  computation 
terminates.  Such  behaviour  occurs  when  a  process  requests 
the  same  rc.sourcc  more  than  once  in  an  interaction,  e.g.  in 
an  encoding  of  the  ^-term  ^vv:.((.vr)(y,-;))  [28],  The  diffi¬ 
culty  in  analysing  (I)  can  be  seen  by  considering  the  fol¬ 
lowing  subterm  of  a  one  step  descendant  of  ( I ). 

(vr)(r(vi)  |r(v2)  |Fw(r/;)) 

It  contains  a  chain  !c  —>?/;,  which  is  difficult  to  determine 
bctorc  c  is  passed.  In  fact,  if  wc  naively  represent  causality 
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incorporating  bound  names  in  (1),  there  is  a  circular  chain 
a  c  b  ^  a,  although  this  cycle  never  arises  in  actual 
interaction.  How  can  we  then  prove  termination?  Simple 
structural  inductions  would  not  be  usable  for  the  same  rea¬ 
son  they  do  not  work  in  typed  ^.-calculi  [6, 1 1]. 

The  idea  we  use  is  suggested  by  SN  proofs  for  typed 
^-calculi,  due  to,  among  others,  Tait  [37],  His  method  em¬ 
ploys  a  semantic  interpretation  of  each  type  [[a]]  as  a  col¬ 
lection  of  strongly  normalising  A,-terms,  and  shows  that  all 
typable  terms  are  indeed  in  these  sets.  A  key  step  is  to  prove 
that  Xx :  a.M  e  [[a  ->  tJ  for  each  M  :  t  (for  which  by  induc¬ 
tion  M  £  [[t]]),  which  means,  by  definition,  {'kx.M)N  e  [[x]] 
for  each  N  E  [[ct]].  But  all  semantic  types  have  the  prop¬ 
erty  that  M{N/x}  E  [[tJ  and  (Xx.M)N  — M{N/x}  imply 
{Xx.M)N  E  [[t],  hence  we  have  only  to  show  M{N/x}  E  [[x]]. 
To  be  able  to  do  this  we  strengthen  the  induction  hypoth¬ 
esis  M  6  [[x]]  to  A/  6  [[xjp  for  each  environment  p,  map¬ 
ping  each  variable  of  type  a  to  some  term  in  [[a]].  Now 
the  result  is  immediate.  While  we  cannot  use  an  identical 
framework  due  to  the  different  nature  of  reduction  in  the 
7c-calculus,  a  similar  technique  works  “for  the  induction  to 
go  through”.  A  key  observation  concerns  the  close  corre¬ 
spondence  between  the  substitution  M{N/x}  and  the  con¬ 
sumption  of  a  message  :r(v)  by  a  replicated  process  \x{y).Q. 
Thus,  at  each  induction  step,  we  prove  that  Pl(??i  |...|/?„) 
converges  for  each  possible  “environment”  which 

complements  P.  Termination  behaviour  is  calculated  via  the 
extended  reduction  suggested  by  strong  bisimilarity  (which 
does  not  change  termination)  together  with  replication  the¬ 
orems  [8, 30, 36].  Then  acyclicity  in  causality  yields  strong 
normalisation. 

Summary  of  Contributions  The  following  summarises 
main  technical  contributions  of  the  present  work.  (3)  solves 
an  open  problem  in  [28]  for  the  simple  type  hierarchy. 

1.  Introduction  of  a  typed  7t-calculus  where  strong  nor- 
malisability  is  ensured  by  typability.  SN  has  signifi¬ 
cant  consequences  for  the  calculus,  including  the  finite 
axiomatisation  of  the  weak  bisimilarity  and  the  basic 
liveness  in  interaction. 

2.  Establishment  of  strong  normalisability  of  typable  pro¬ 
cesses  combining  ideas  from  traditional  SN  proofs  for 
typed  X-calculi  with  process-theoretic  reasoning. 

3.  Embedding,  using  Milner’s  encoding  [28],  of  the 
simply  typed  X-calculus  with  sums  and  products 
(X^.,x,+)  into  our  typed  7t-calculus.  The  embedding 
is  fully  abstract  w.r.t.  the  observational  congruence  of 

.  justifying  all  commutative  conversions  and  r|- 
equations  [13]  and  automatically  leads  to  SN  in  the 
source  calculus. 

Related  Work  Strong  normalisation  in  typed  ^.-calculi 
has  been  studied  extensively  in  the  past;  detailed  surveys 


can  be  found  in  [6,11].  Abramsky  extends  the  Curry- 
Howard  correspondence  to  linear  logic  [12]  using  proof  ex¬ 
pressions  and  proves  SN  [1],  guiding  our  present  usage  of 
acyclicity  in  names.  This  programme  is  taken  further  with 
realisability  semantics  of  linear  logic  in  [5]  where  CCS  pro¬ 
cesses  act  as  realisers.  The  operational  structure  of  [5]  fol¬ 
lows  his  own  7t-calculus  encoding  of  proof  nets  [2].  The 
appeal  of  realisability  lies  in  treating  semantics  and  syntax 
uniformly  on  a  logical  basis.  In  the  context  of  SN  types  for 
the  Jt-calculus,  sharing  of  names  and  dynamic  link  creation 
would  make  the  framework  in  [  1 , 5]  hard  to  apply  directly. 
In  contrast,  the  present  work  offers  a  possibly  basic  type 
discipline  that  does  not  directly  correspond  to  known  log¬ 
ical  systems  but  is  based  on  simple  operational  principles, 
resulting  in  a  new  effective  method  to  ensure  SN  for  name 
passing  processes. 

As  our  initial  example  of  server-client  interaction  sug¬ 
gests,  SN  in  processes  is  closely  related  to  liveness  proper¬ 
ties  in  interaction.  Yoshida  [40]  presents  a  typed  7t-calculus 
with  a  local  liveness  property.  Kobayashi  and  his  col¬ 
leagues  [23-26]  propose  several  typing  systems  which  en¬ 
sure  a  form  of  liveness  (in  [25]  time  quotas  are  assigned  to 
communications  for  this  purpose).  Unlike  the  present  work, 
these  and  other  preceding  typing  systems  for  7t-calculus 
[8, 16, 17,34,36]  do  not  guarantee  SN  and  the  associated 
liveness  properties  for  processes  involving  non-trivial  use  of 
replication.  As  a  result,  embeddability  of,  say,  in  these 
systems  does  not  guarantee  the  SN  of  the  source  calculus  in 
these  systems. 

Structure  of  the  Paper  Section  2  introduces  the  syntax 
and  the  type  discipline.  Section  3  proves  the  main  result, 
the  strong  normalisability.  Section  4  presents  the  complete 
axiomatisation  of  weak  bisimilarity.  Section  5  gives  a  fully 
abstract  encoding  of  -  Section  6  briefly  outlines  fur¬ 

ther  results.  The  technical  details,  including  omitted  proofs, 
can  be  found  in  the  full  version  [41]. 

2.  Processes  and  Typing 

2.1.  Processes 

Following  [8],  we  use  the  asynchronous  version  of  the  ti- 
calculus  [10, 19]  with  bound  output  [35].  ' 

P  ;;=  x{y).P  input  |  P\Q  parallel 

I  x{y)P  output  I  {vx)P  hiding 

I  lx{y).P  replication  |  0  inaction 

The  bound/free  names  are  defined  as  usual  and  we  assume 
the  variable  convention  for  bound  names.  The  structural 
rules  are  standard  except  for  omission  of  \P  =\P\P  and 

*The  full  syntax  includes  branching,  which  is  discussed  in  Section  5.2. 
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for  incorporation  of  congruence  rules  making  output  asyn¬ 
chronous  [8]. 

x{z){P\Q)  =  iHz)P)\Q  iffn(G)n{2}=0 

x{z){vw)P  =  {vw)x{z)P  if  w  ^  {jrz} 

The  reduction  — >  is  generated  by  the  following  rules. 

x{y).P\x{y)Q  (vy)(/>|G) 

\x{y).P\x{y)Q  !x(y).P|  (vy)(P|  G) 

The  relation  is  defined  over  processes  modulo  =  and  is 
closed  under  parallel  composition,  restriction  and  output. 

2.2.  Types 

Channel  Types  The  following  pairs  of  action  modes  [8, 
20]  prescribe  how  each  channel  is  used  in  typed  processes. 

i  Linear  input  t  Linear  output 

!  Replicated  input  ?  Output  to ! 

Wc  also  use  1  to  indicate  the  presence  of  both  input  and 
output  at  a  linear  channel.  range  over  action  modes. 

For  p  ^  l,wc  write  p  for  the  dual  of  p,  a  self-inverse  map 
on  the  action  modes  such  that  i  =']'  and  T  =  ?.  The  modes 
correspond  to  !i,?i,  Iw  and  ?u  introduced  in  [8],  except  that 
the  present  modes  indicate  true  linearity  for  linear  channels 
(i.e.  input  and  output  occurs  precisely  once)  and  lack  of  di¬ 
vergence  for  replicated  channels. 

Using  action  modes,  wc  first  define  the  set  of  channel 
types:  they  arc  assigned  to  names  and  indicate  how  channels 
would  be  used. 

oc  (i,  t)  Ti  ::=  (xo)-^  I  (to)’ 

T  Xi  1  To  To  ;:=  (ti)^  |  (ti)'’ 

In  the  first  line  T  denotes  the  dual  of  t,  which  is  the  result  of 
dualising  all  action  modes;  md(T)  indicates  the  (outermost) 
action  mode  of  T.  A  type  of  form  {t,t),  called  a  pair  type, 
is  an  unordered  pair  of  mutually  dual  types. 

Following  [8]  we  only  consider  types  where,  in  (Tq)^, 
each  T,  has  mode  ?  (and  dually  for  (Ti)^).  This  constraint, 
which  comes  from  game  semantics,  is  not  essential  for  SN 
but  simplifies  presentation  and  proofs. 

Action  Types  Channel  types  arc  assigned  to  free  names 
of  a  process  to  specify  possible  usage  of  names.  Action 
types,  on  the  other  hand,  carry  causality  information  [40] 
and  witness  the  real  usage  of  channels.  Formally,  an  action 
type,  denoted  is  a  finite  directed  graph  with  nodes 

of  the  form  px,  such  that: 


Figure  1.  Composition  of  Action  Types 


•  edges  are  of  the  form  !t  — >  ?y  or  x  y. 

If  px  is  in  A  and  for  no  y  we  have  qy  — >  px,  then  wc  say  x  is 
active  in  A.  |/\|  (resp.  fn(/I),  active(/(),  md(/t))  denotes  the 
.set  of  nodes  (resp.  names,  active  names,  modes)  in  A.  A\x  is 
the  result  of  taking  off  nodes  with  names  in  T  from  A.  Al±lS 
is  the  graph  union  of  A  and  B. 

Now  define  a  symmetric  partial  operator  ©  by:  |  ©  t= 
l,?©?  =  ?and  !©?:=!.  Write  A  x  B  iff: 


•  whenever  px  G  A  and  qx  e  B,  pQq  is  defined;  and 

•  whenever  p\x\  'P2-'^2^  P2X2  P?,x?i,  ■  ■  ■ ,  p„Xn 
p„  ^  ]X„i\  inAl+lB(n>  I),  we  havexi 

Then  AQB,  defined  iff  A  x  B,  is  the  following  action  type. 

•  px  e  |A  ©B|  iff  either  (I)  px  £  |A|  and  x  ^  fn(B)  and 
the  symmetric  case,  or  (2)  qx  £  |A|  and  rx  £  |fi|  and 
P  =  qQr. 

•  px  qy  in  A  ©  6  iff  both  ( I )  px, qy  £  |A  ©  B|  and  (2) 

px  =  r\Z\  -^f2Z2,  r2Z2->r^Z},...  ,r„T„  -)•  r„  = 

qy  in  Aw  6  (/I  >  I). 

Wc  can  easily  check  that  ©  is  a  symmetric  and  associative 
partial  operation  on  action  types  with  unit  0. 

Example  2.1  Figure  1  shows  examples  of  composition  be¬ 
tween  action  types.  In  the  linear  case,  ordering  from/to  node 
b  disappears.  On  the  other  hand,  in  the  replicated  input 
case,  wc  need  to  keep  the  original  ordering  because  \b{y).P 
remains  persistently.  Wc  can  write  down  these  examples 
syntactically  as  follows  (shared  ?-nodcs  arc  duplicated  in 
syntax);  |  a  -r  (t  /?©  t  c)©  4-  (t  r/©  t  e)  =].  a  ->•  (t 
c©  t t  ^)  © tind  !a —>•(?/;©  ?c)  ©!(?—>  (?r/©  ?e) 
=  !fl  — >■  {'lc®?d  ©  ?e)  ©  \b  (?d  ®  ?e). 

2.3.  Linear  Typing 


•  no  names  occur  twice;  and 
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Wc  arc  now  ready  to  present  the  typing  rules.  Sequents  have 
the  form  F  h  P  d>  A  where  F  is  a  finite  map  from  names  to 


(Par)  (Res) 

(Zero)  r}-Pi>Ai  (i  =  \,2)  r-;c:ahP>/\ 

-  Ai  >:A2  e  |A|  with /?  e  {±, !} 

ri-O[>0  r  h  Pi  I P2  i> -^1  ©^42  r  h  (vx:  a)P  [>  A/jc 


(Weak-±)  (Weak-?) 

rhx:;,t  rhx;? 

r  h  p  0  A--'  r  h  p  >  A'-' 

rhP>A®±x  ri-p>A©?x 


(In^)  (C/y  =t  ^  0  ?B)  (Out4)  {C/y  =  A  xt  x)  (In’ )  {C/y  =  ?A) 

rhx:(t)4  rhx:(T)^  rhx;(T)’ 

r-j:Tl-Pt>C‘''  r-j;Tl-Pi>C  r-y:T\-  P>C^ 

ri-x(y  :T).Pt>  (4.x-5«A)(8)B  ri-x(y:T)P[>A©tx  T  l-!x(j  :  t).P  i>  !x-^A 


(Out-)  {C/y  =  A-lx) 

rhx:(x)- 

r-y  :ThP>C 

r  h  x{y  :  t)P  >  a  ©  ?x 


Figure  2.  Linear  Typing  Rules 


channel  types,  called  a  base.  The  typing  rules  are  given  in 
Figure  2.  The  following  notation  is  used. 

A/x  A\x  such  that  x/  6  active(A)  for  each  x/ 
pA  A  such  that  md(A)  =  {p} 

A’*^  A  such  that  x  ^  fn(A) 

Further,  px  ->  A  adds  new  edges  from  px  to  active  nodes  in 
A,  A®B  (resp,  F  •  A)  denotes  the  disjoint  union  of  A  and  B 
(resp.  r  and  A),  and  F  h  x  :  x  denotes  either  x  :  x  or  x  :  (x,x) 
is  in  F.  The  sequent  F  h  P  >  A  is  often  abbreviated  to  F  h  P. 

We  briefly  illustrate  the  typing  rules.  In  (Par),  “x”  con¬ 
trols  composability,  ensuring  linearity  of  channels,  and  pre¬ 
vents  circular  dependency.  In  (Res),  we  do  not  allow  j',  ? 
or  ^.-channels  to  be  restricted  since  they  expect  their  dual 
actions  to  exist  in  the  environment  (cf.  [8, 17,20,26]).  In 
addition  to  recording  causality,  (In^)  ensures  that  x  occurs 
precisely  once  (by  C')  and  that  no  free  input  is  suppressed 
under  the  prefix.  (OuF)  also  ensures  thatx  occurs  precisely 
once  but  permits  suppression  by  the  prefix  since  output  is 
asynchronous.  (In’)  is  the  same  as  (In-I-)  except  that  no  free 
t-channels  are  suppressed  (if  a  '['-channel  is  under  replica¬ 
tion  then  it  can  be  used  more  than  once).  (Out’)  and  (Weak- 
?)  say  that  ?-channels  occur  zero  or  more  times  and  do  not 
suppress  actions. 

Example  2.2  •  A  copy-cat  copies  all  information  from 

one  channel  to  another  [4, 22].  We  show,  step  by  step, 
how  [m  — >■  .xY  ^lu{a).x{b)b.a,  the  copy-cat  from  u  to 
X,  can  be  typed.  Let  x  =  (()^)’,  F  =  a  :()'’'■  :  ()f  . 
u:t-x:x.  Then:  (1)FI-O[>0,  (2)  F  h  ao  "f  a,  (3) 
F  h  b.a\>  4,  b  —>■'('  a,  (4)  r\b  h  x{b)b.a  t>  ?x©  '['  a  (by  (j, 
b  -)•'['  a)/b=^  a)  and  finally  (5)  F\ai'  h  !M(a) .x{b)b.a  o 
!£/->?x  (by  (?x©  t  =  ?-^)- 

•  Let  a  =  (()4,  ()f)  and  F  =  a:a-b:a-c:a-d-.a.  Then 
F h  a. (fo I c) o  4. a  (t (^0 1  c)  and  r\-  b.d>  lb  ->-t d. 
By  (Par),  r\-  a.(B\c)\b.d>  la  ^  (t  c®  '['J)©  Tfo,  and 
by  (Res),  Fh  {vb){a.(b\c)\b2)>  4,0  ->•  (t  c^ld). 


•  LetF  =  x:(x,x)->':(x,x)-z:(x,x)  andx=  (()'’')’.  Then 
the  connection  of  two  links  (copy-cats)  is  typed  as: 

F  h  [x  3’]^  I  [v  >  ( !x  -i-  ?x)  ®  ( !}’  -)•  ?2) 

with  (!x->  ?3')0(!}'^  ?^)  =  (lx-)' ?z)®(!y-^  ?z). 
However,  [x  — >  x]’'  and  [x  — ^  3’]^  |  [3’  — >  x]^  are  untypable 
under  any  environment  by  the  side  condition  C”'  in 
(In’)  and  by  definition  of  x,  respectively. 

Next  we  list  two  properties  of  name  usage  in  typed  pro¬ 
cesses.  Acyclicity  becomes  crucial  in  our  SN  proof  later. 

Proposition  2.3  Let  F  f-  P  >  A. 

i.  (linearity)  If  pxe  A  such  that  p  S  {4.,t) !}.  then  x  oc¬ 
curs  precisely  once  in  P. 

ii.  (acyclicity)  G(P)  denotes  a  directed  graph  s.t.:  (1) 
nodes  are  fn(P),-  and  (2)  edges  are  given  by:  X  rx  y  iff 
P  =  (v?)(2|P)  such  that  Q~x(w).Qo  orQ  =  lx{w).Qo 
where  y  occurs  free  in  Qo,  x  ^  {2}  and  y  ^  {Hw}.  A 
cycle  in  G{P)  is  a  sequence  offormxr\y\...  r\y„  rxx 
(n  >  0)  with  3’,-  x.  Then  G{P)  has  no  cycle. 

Some  notation  which  we  use  later: 

•  P  if  Q  U  P-^*Q^. 

•  P  3Q.P  44  Q.  Further,  P  f]  "  Vn  e  N.  P 

•  SN(P)  ^Pfr. 

.  CSN(P)  SN(P)A(P^ei.2^ei  eeQj). 

Proposition  2.4  Let  F  F  P  t>  A. 

i.  (subject  reduction)  IfP  — Q  then  F  h  Q  o  A. 

ii.  (one-step  confluence)  IfP  — >  Qj  (i  =1,2)  with  Q\  ^ 
Q2  then  there  exists  R  s.t.  Qj  — >  R  (i  =  1,2). 
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iii.  (determinacy)  {])  P — >  P' and  SN{P')  imply  SN{P). 
(2)  P  U  e,  a  =\,2)  imply  0,  ee  Qj.  And  (3)  P  ^ 
SN(P)  <=>  CSN(P). 

(i,ii)  is  proved  as  in  [8],  (iii)  is  standard  [1]  all  using  (ii). 

3.  Strong  Normalisation 

This  section  proves  the  following  result. 

Theorem  3.1  (main  theorem,  strong  normalisation) 
r\-Pt>A  CSN(P) 

A  few  significant  consequences  of  the  theorem  will  be  dis¬ 
cussed  in  Sections  4,  5  and  6.  In  the  proof,  we  first  intro¬ 
duce  the  extended  reduction  relation  i->,  which  eliminates 
all  cuts  (mutually  dual  channels)  in  a  typed  process.  Next 
we  define  semantic  types  [[T,/!]],  which  arc  sets  of  typed 
terms  that  converge  when  composed  with  all  necessary  “re¬ 
sources”  (i.e.  complementary  processes).  Finally  we  prove 
that  each  typablc  process  is  in  the  corresponding  semantic 
type.  This  part  is  divided  into  two  stages.  We  start  with 
show  all  normal  forms  to  be  in  their  semantic  types.  Then 
we  establish  that  each  typablc  process  combined  with  re¬ 
sources  always  reaches  a  normal  form,  which  implies  the 
strong  normalisability  of  — >.  In  the  second  stage  acyclic¬ 
ity  (cf.  Proposition  2.3)  becomes  crucial. 

3.1.  Extended  Reductions 

Definition  3.2  (extended  reductions)  We  define  i-h,  ^->t 
and  as  the  compatible  relations  on  processes  modulo 
=  respectively  generated  by  the  following  rules. 

C[.v(y)P]|.v(.y).0  ->1  C[(vy)(P|0] 

C[,v(y)P]l!.v(y).e  q(vy)(Pi(2)l  i  !.v(,v).0 

(v.v)Lv(3^).e  H->g  0 

Here  C[]  is  an  arbitrary  context  not  binding  .v.  Then 
(i-^i  U  I— l-r  U  t->g)  is  the  extended  reduction  relation. 

The  idea  of  i->  is  to  capture  known  process-algebraic  laws 
as  one  step  reductions:  i->i,  i~>r  and  i-^g  correspond  to  the 
P/lincar  law  [16,  17,26,40],  the  replication  law  [8,32,36] 
and  the  garbage  collection  law,  respectively.  Immediately 
— P  JJ.,.,  SN,-(P)  and  CSN,,(P)  arc  given  as  PI), 
SN(P)  and  CSN(P),  using  i-^  instead  of  — >.  A  ^-redex  is 
a  pair  of  terms  which  form  a  redex  for  i->  in  a  given  tenn. 
We  say  process  P  is  prime  with  subject  x  if  cither  P  is  input 
with  subject  at  X  or  P  =  x(}'i  ..y„)n,c/P/  such  that  each  P, 
is  prime  with  subject  y,  where  FI/c/P,  denotes  the  parallel 
composition  of  {P,},e/  (if  /  =  0  then  fl/c/P,  =  0).  We  as¬ 
sume  all  prefixed  terms  to  be  primes  throughout  the  rest  of 
the  section  (which  docs  not  lose  generality  up  to  =).  NF,. 


is  given  by  {F  h  P,P  Note  that  a  process  is  in  NF^- 
if  it  docs  not  contain  complementary  input  and  output  and, 
moreover,  it  docs  not  have  substantial  hiding  (i.e.  a  hiding 
(va)P  such  that  a  G  fn(P)).  Thus  we  can  sec  NF,,  is  induc¬ 
tively  generated  by  the  following  rules  up  to  =  (implicitly 
assuming  typability): 

•  0  e  NF„ 

•  P  e  NF,,  then  A(y  :  r).P,  !A(y  ;  t).P,  A(y  :  x)P  G  NF,,. 

•  P,  G  NF(.  (i  e  I  jh  0),  Pj  is  a  prime,  and  P|jP/ (/  7^  J) 
then  Fl/e/P,  G  NF^,. 

Proposition  3.3  Let  all  processes  he  typed  below. 

i.  //F  h  P  0  A  and  P^P'  then  F  h  P'  t>  A. 

ii.  (CR)  IfP  HE.*  Qi  then  Q,  R  (i  =1,2). 

iii.  (determinacy)  If  P  i~>  P'  and  SN,.(P')  then  SN,.(P). 
Thus  Pi),  iffSN,{P)  /yCSN,(P). 

Note  that  the  Church-Rosscr  property  is  no  longer  one-step. 
The  proof  proceeds  by  ‘postponing’  applications  of  H->g. 

3.2.  Semantic  Types 

Semantic  types  arc  provably  strongly  normalising  typed 
terms  of  some  kind.  We  need  some  preliminaries. 

•  c(A)  =  .,}77-.r/. 

•  Let  A  X  P  and  A  ©  P  =  C®  .i..v  where  1  md(C).  Then 
A-P^^'C. 

By  c(A),  called  the  complement  of  A,  we  indicate  the  (type 
of  the)  environment  which  gives  complementary  linear  and 
replicated  inputs  for  all  free  output  channels  in  A.  A  -  P  is 
a  “semantic  version"  of  A0P,  where  we  forget  inessential 
±-channcls.  We  write  F  h  A  if  modes  in  A  conform  to  F. 
We  can  now  define  semantic  types. 

Definition  3.4  The  semantic  type  [[F,  A]]  of  a  pair  F  and  A 
such  that  F  h  A,  and  the  prime  semantic  type  ((F,  p.x))  for  a 
pair  F  and  px  such  that  F  h  px  with  p  G  {j,, !},  arc  defined 
by  the  rules  in  Figure  3. 

In  Figure  3,  F  and  FuF  respectively  denote  the  result  of  du¬ 
alising  all  types  in  F  and  the  name- wise  union  of  types.  The 
rules  are  well-defined  since  the  height  of  types  decreases 
in  effect.  Note  that  we  can  always  assume  F  in  [[F,  A]]  is 
paired,  i.e.  contains  only  pair  types,  with  no  loss  of  gener¬ 
ality.  Some  observations: 

Lemma  3.5 

i.  IfP  G  [[F,  A]]  then  F  F  P  t>  A  and  SN,.(P). 

ii.  [[F,  A]]  C  [[F,  A  ®  P]].  Aho  [[F,  A  ®  1a]]  =  (IF,  A]]. 
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r,  AD 
((r,  4^)> 
((r,  !x)) 

({r,  ®ieiPiXi)) 


def 


{rhP>A  I  ve€((r,  c{A))).p\Qi^,Re{{rur,A-c{A)))} 

{a:();  :x).P  |  Z’  G  [[F -y  :t,  with  F  h  ;c :  (x)-^  and  p,  =  md(Xi)} 

{^(y  :x).P  I  P  G  [[F-^rx,  (8)p,)',]]  with  F  h  jc :  (x)'  and  pi  =  md(x/)} 
{n/g/Pi  I  Pi  e  ((F,  piXi))  (i  el)} 


Figure  3.  None-Prime  and  Prime  Semantic  Types 


iii.  LetP^  P'.  Then  P  e  JF,  Aj  iffP'  e  [[F,  Aj. 

iv.  Let  Pi  e  ((F,  PiXi))  {I  <i  <  n)  such  that  xi,..,x„  are 
pairwise  distinct.  ThenYli^iPi  e  JF,  (gi,p,x,]]. 

For  the  proof  of  (i),  we  use  P\Q  implies  P  JJ-^  and  Q 
For  (iii),  “then”  is  trivial,  while  “if”  is  by  i->  being  CR.  (iv) 
is  because  c{®PiXi)  =  0  in  this  case. 

3.3.  Main  Proofs 

First  we  show  that  all  (typable)  normal  forms  are  semanti¬ 
cally  typed.  The  difficult  case  here  is  output  d{x)P  to  repli¬ 
cation  \a{x).Q  because  after  reduction  d{x)P  \  \a{x).Q  — > 
{vx){P\Q)  I  \a{x).Q,P may  interact  again  with  \a{x).Q.  Our 
formulation  of  semantic  types  based  on  makes  the  induc¬ 
tive  augument  possible. 

Lemma  3.6  IfT  h  P  t>  A  and  P  6  NF^  then  P  e  [[F,  Aj. 

PROOF:  By  Lemma  3.5  (ii),  it  suffices  to  consider  only  min¬ 
imum  action  types.  For  brevity  we  write  P{px)  (p  e  {1,4-}) 
for  a  process  in  normal  form  in  a  prime  semantic  type.  Also 
throughout  the  proof  we  set  fn(A)  =  {a,}  and  fn(fi)  =  {bj}. 
The  proof  proceeds  by  induction  on  the  structure  of  P.  We 
only  list  two  cases,  see  [41]  for  the  remaining  cases. 

(Inaction).  By  c(0)  =  0,  if  2  €  ((F,  c(0))),  then  2  =  0. 
Hence  0|2  =  0  (le  0  S  ((F,  0))  with  c(0)  -0  =  0,  immedi¬ 
ately  0  G  [[F,  0]]. 

(Replicated  Output).  Assume  P  e  [[F-y  :  x,  C®  ?jr]]  with 
C/y  =t  A  ®  We  have  to  show  x{y  :  x)P  G  JF,  A  ® 

P  ®  ?a:]].  First  we  note  that  c(A  ®B®lx)  =  c(C  ®  ?x)  — 
(A®B®  \x).  Assume  Q  e  ((F,  A ® 5 ®  !j:)).  W.l.o.g.  we 
can  write  Q  =\x{y).Q'g  \Q1\Q2  where  !x(y).2o  G  ((F,  !jr)), 
2i  =  n,2ii4ai>  and  Q2  =  n/227{'''>)-  Then  we  have: 

Ay)P\Q  — >  (vy)(P|2o)|!^(5^)-!2oiei|22. 

By  induction,  P|!^(y).2ol<2iie2  4)^.  P'|!^(y).2ol<22  s.t.  P'  G 
[F-y  :  X,  ®p,y(I  with  p,-  =  md(x/)  G  {!,]-}■  Hence  we  can 
write  P'  =  ntPii4zj)  |  n/P2;{!»'/>  with  {y}  =  {?w}.  We  also 
note  that  2o  G  ((F-y:x,  ®p,y/)).  Hence,  by  assumption, 

(vy)(P'|2o)  (vy)(n/P2/C.n))  0 


Now  by  CR,  we  have  P  |  Q  -U-e!x(y).2o  |  Qi  6  ((F,  B®  !x)), 
as  desired.  ■ 

Corollary  3.7  IfT  Pi>  px  e  NF^,  with  p  G  {4-, !},  then 
Pe{{T,px)). 

We  can  now  establish  the  main  lemma  below:  given  the 
Lemma  3.6,  prefix  and  restriction  become  trivial,  but  paral¬ 
lel  composition  causes  problems.  Even  if  \a.b  and  (a  |  \b.c) 
are  in  NF<,,  their  composition  (with  environment  !c.0)  al¬ 
lows  reductions.  How  can  we  prove  termination?  The  key 
idea  is  to  contract  i->-redexes  from  the  end  of  the  order  of 
names  c^r^  4?  a  as: 

la.b\d\\b.c\\c.O  \a.b\d\\b.0\\c.(i 

Mr  !a.0|a|  !47.0|  !c.O  Mr  !a.O  j  !P0 1  !c.O 

This  reduction  strategy  always  terminates  due  to  acyclicity 
of  names.  Formally,  we  prove: 

Lemma  3.8  (main  lemma)  Suppose  F  h  P  >  A.  Then 
P\Q  for  each  Q  G  [[F,  c(A)]]. 

Proof:  By  induction  on  the  typing  rules.  (Zero)  and 
(Weak-±,-?)  are  trivial.  For  the  prefix  rules,  by  induction 
the  body  of  each  prefix  converges,  hence  so  does  the  whole 
term.  Then  we  use  Lemma  3.6  again.  (Res)  is  similar, 
by  Lemma  3.5  (ii).  For  (Par),  suppose  F  h  P,  >  A,  with 
i  =  1,2  such  that  Ai  x  A2  and  let  A  =  Ai  OA2.  By  induc¬ 
tion  hypothesis  Pj  P[  and  Pi  JJ-e-  P'l-  Let  P  P[  [P^.  Then 
P  =  61 1 -I  fin  where  each  2i  is  prime.  If  n  =  0  there  is  noth¬ 
ing  to  prove.  Assume  n  >  0  and  let  X  {l,2,..,n}.  We 
define  the  relation  \  on  Zf  as  follows: 

iHpf 

i\i  ^  3xGfn(2/),)’Gfn(2i)-.^^)’ 

Since  i  \+  j  i  implies  the  existence  of  a  cycle  x  r\^  x 
in  the  sense  of  Proposition  2.3  (ii),  \*  is  a  partial  order  on 
X.  We  now  define  a  series  of  sets  Xi  ,X2,..  as  follows,  writ¬ 
ing  max(F,  <)  for  the  set  of  maximal  elements  of  a  partially 
ordered  set  Y. 

Xi  =  max{X,  V)  ^/+i  =  max(X\Ui<,<,X,-,  V) 
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As  X  is  finite,  X\,..,X,„  partition  X  for  some  m.  Now  let 

Si  =  IXjzXiQj  for  I  <  (  <  m.  Then  P  =  ni<,<„,5/  and  5,-  £ 
NF(.  for  each  i.  Note  the  series  S|,..,5„  is  constructed  so 
that  outputs  in  5/+i  are  always  complemented  by  inputs  in 
|...|5i \R.  Now  let  F  h  t>  Q  s.t.  ©i<;<,„C,'  =  A  and 

let  Ei  =  c(C|)  ©Cl  ©  ..  ©C,„i  for  1  <  i  <  m.  Then  C,  = 
c(C/)  for  each  i.  Note  also  £1  =  c(A)  and  E,„  =  c{A)  QA. 
Choose  any  R  £  ((F,  c{A))).  We  now  show,  by  induction  on 
1  <  I  <m+  \  ,  that  for  some  /?/  £  ((F,  C/)) 

P\R^*  U,<i<„,Si\R,. 

This  proves  the  lemma  when  I  =  m  +  \  .  For  the  base 
case,  take  R[  =  R.  For  the  inductive  step,  assume  P\R 
n/<;<m‘5',|£/  such  that  /?/  £  ((F,  £/)).  By  Lemma  3.6 
and  by  Si  £  NF^.  we  know  that  Si  £  [[F,  C/j].  By  £/  = 
c(C/)  —  c(C|)  ©C|  ©  ...  ©C/_i ,  this  implies  Si\Ri  R'  £ 
((F,  £■/.,.  I )) .  We  can  now  set  £'  =  /?/+],  as  desired.  ■ 

Theorem  3.9  (strong  normalisability  in  i->)  F  h  P  >  A  iiii- 
pUes  CSN,,(P). 

By  — and  Proposition  2.4  (iii-3),  we  have  now  estab¬ 
lished  Theorem  3.1. 

4.  Characterisation  of  Bisimilarity 

As  a  striking  consequence  of  the  strong  normalisability  of 
typed  processes,  this  section  shows  that  weak  bisimilarity 
has  a  finite  axiomatisation. 

4.1.  Typed  Transitions  and  Typed  Bisimulations 

Typed  transitions  describe  the  observations  a  typed  observer 
can  make  of  a  typed  process.  Typed  transitions  arc  a  proper 
subset  of  untyped  transitions  while  not  restricting  T-actions: 
hence  typed  transitions  restricts  observability,  not  computa¬ 
tion.  First,  untyped  transitions  P  — ^  Q,  with  labels  x,  .v(v) 
and.Y(y)  arc  generated  by  the  following  rules. 

x{y).P  ^  P  x{z)P  —>  P  lx{y).P  ^  P\ '■x{y).P 

The  communication  and  contextual  rules  arc  standard  ex¬ 
cept  for  closure  under  asynchronous  output. 

P withfn(/)n{y}  =  0  l(y)P-4.Y(y)P' 

Typed  transitions,  written  F  h  P  V-y  -.xT  Q,  where  y  ;x 
assigns  names  introduced  in  /  as  prescribed  by  F,  arc  gen¬ 
erated  as  follows,  cf.  Section  4.2  and  Appendix  E  of  [8]; 
Fh  P  ^r-y:x\~  Q  iff  (1)  FF  PoA,  (2)  P  Q  with 
bn(/)  nfn(F)  =  0,  (3)  if  lx  £  |A|  then  fn(/)  7^  .v,  and  (4)  if 
!x  £  |A|  and  active(/)  =  x  then  /  is  input. 


Using  typed  transitions,  we  define  bisimulations.  Let  us 
say  a  relation  over  typed  processes  is  typed  if  it  relates  only 
processes  with  identical  base  and  action  type.  A  typed  re¬ 
lation  is  a  typed  congruence  when  it  is  a  typed  equivalence 
closed  under  typed  contexts,  contains  =  and  allows  weak¬ 
ening  of  bases  in  the  standard  way  [8, 32].  A  typed  relation 
R  is  a  weak  hisimulation,  or  a  hisimulation,  if  F  F  PR<2  im¬ 
plies:  whenever  F  F  P  — >  P'  then  there  is  a  typed  transition 
sequence  F  F  (g  Q'  such  that  PR(2,  as  well  as  the  sym¬ 
metric  case.  By  replacing  with  we  obtain  a  strong 
bisimulation.  If  F  F  PRQ  for  some  weak  (resp.  strong) 
bisimulation  R,  we  write  T\-  P  k,  Q  (resp.  F  F  P  ~  0).  Fi¬ 
nally,  «  (resp.  ~)  is  called  weak  (resp.  strong)  bisimilarity. 
The  weak  bisimilarity  is  often  simply  called  bisimilarity. 

4.2.  Characterisation 

Let  <— )•  be  the  transitive,  symmetric  closure  of  i->-  U  =.  We 
now  show  that  >  completely  characterises  bisimilarity. 

Definition  4.1 

•  The  relation  ='  is  the  least  congruence  such  that 
=„C=',  P\Q  ='  Q\P  and  {P\Q)\R  ='  P\(Q\R). 

•  The  relation  >  is  the  least  typed  precongruence 
containing  ='  such  that  P|0  >  P,  (vx)0  >  0, 
(v.v)(P|G)  >  Pl(v.v)(?  if  X  ^  fn(P),  x(y)(P|Q)  > 
P|x(v)(2  if  fn(P)  n  {y}  =  0  and  (yz)x{y)P  >  x(y)(vz)P 
if  c  ^  {x,y}. 

•  P  is  in  t>-nonnal  form  if  P  £  NF,.  and  P  >  Q  implies 
P='Q. 

Clearly  t>-normal  forms  arc  representatives  of  NF,,,  in  fact 
precisely  those  generated  by  the  rules  in  §3.1. 

Lemma  4.2  i.  If  V  \-  Pt>A  then  there  is  a\>-normal  form 
Q  such  that  P  h- Q. 

ii.  Let  P  and  Q  he  two  typable  t> -normal  forms.  Then 
Pt^QiffP='  QiffPe^Q. 

The  proof  of  Lemma  4.2  uses  Theorem  3.9.  The  key  obser¬ 
vation  for  the  proof  of  (ii)  is  that  t>-normal  forms  are  a  class 
of  processes  where  trace  equivalence,  ss  and  ='  (hence  also 
~  and  =)  coincide. 

Theorem  4.3  (characterisation  of^)  (i)  C  «,  C  «; 
and  (ii)  < — >  =  w. 

The  proof  for  (i)  essentially  proceeds  by  showing  RUid  to 
be  a  typed  bisimulation  where  R  is  inductively  generated  by 
the  following  rules: 

C[x(y)P]|x(y).(2  R  C[(vy)(P|e)] 
C[x(y)P]|!x(y).<2  R  C[(vy)(P|0]  |  !x(y).e 
(vx)!x(y).(2  R  0 
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Here  C[]  is  an  arbitrary  context  not  binding  x. 

To  establish  (ii),  assume  that  P  ^  Q.  By  Lemma  4.2  (i) 
we  can  find  O-normal  forms  Pnf  and  Q„f  of  P  and  Q  re¬ 
spectively  such  that  P  i->*  Pnf  and  Q  i->*  Q,f.  Hence  by  (i) 
Pnf  ~  Qnf-  But  Lemma  4.2  (ii)  implies  that  rs  restricted  to 
>-normal  forms  is  contained  in  hence  P  P nj"^  Qnf 
and  Q  i->*  Q„f  which  means  P  4— >  2,  as  required. 

5.  Fully  Abstract  Embedding  of  A,_>.^x,4- 

5.1.  The  Functional  Calculus 

We  use  the  simply  typed  A,-calculus  with  products  and  sums 
from  now  on)  as  a  testbed  for  the  expressiveness  of 
the  presented  calculus.  We  have  chosen  because  of 

its  rich  type  structures  and  non-trivial  equational  theory.  For 
simplicity  we  omit  base  types  other  than  unit.  We  review  the 
syntax  of  types  and  terms  below,  with  i  ranging  over  {1,2}. 

T  unit  \  T\  Ti  \  T\  x  T2  \  T\  +  T2 

M  ;:=  x\{)\Xx:T.M\{M,N)\Ki{M) 

I  ini{M)  I  case  L  of  {in,(x/).M,}/£{i_2} 

We  write  M  =a  N  for  the  a-equality  on  terms.  A  term  is 
closed  if  no  variables  occur  free. 

The  reduction  relation,  written  and  the  typing  rules 
are  standard  [14,31].  We  write  E  M  :  T  when  a  term  M 
is  typable  with  type  T  under  a  base  E.  We  write  C[  ]t  :  T' 
for  a  (typed)  context  of  type  T'  with  one  hole  of  type  T.  We 
often  omit  type  annotations  from  terms  and  contexts.  We 
write  M  (1  A  when  M  N  and  N  A  normal  form  is  a 
term  which  has  no  further  reductions. 

Equality  in  ^^,x,+  is  not  as  simple  as  it  may  look,  due 
to  the  existence  of  sums  [12].  To  have  a  semantically  mean¬ 
ingful  equality,  we  use  observation  of  “values”,  cf.  [31]. 
Let  true  =  ini(())  and  false  =  in2(()),  both  of  type 

rlpf  _ 

B  =  unit  -f-  unit.  Then  E  M  =x  N  :  T  when,  for  each 
context  C[  jr  :  B  such  that  C\M]  and  C[A]  are  closed,  we 
have  {C[M]  JJ.  true  <=>  C[A]  JJ.  true).  The  same  equality 
is  obtained  by  taking  observability  at  each  sum  type,  justi¬ 
fying  all  commuting  conversions  and  ri-rules. 

5.2.  The  TT-Calculus:  Extension  with  Branching 

Before  the  encoding,  we  extend  the  typed  7i-calculus  to  its 
full  syntax  [8]  by  incorporating  branching.  Branching  is 
necessary  to  represent  sums  in  and  is  also  used  for 

defining  a  reduction-based  typed  congruence  [21,40). 

P  ::=  •••  |  !.v[&,(y/:f, ■)./’,]  |fin,(y:f)P 

Ti  ::=  ••■I  I  [&/f/]' 

To  ::=  I  [e/f,]-’ 


The  additional  reduction  rules  are  defined  as: 

x[&i{yi).Pi] \xiiLj{yj)-Q  {vyj)iPj  \  Q) 

!  x[&i  (y/ )  .P/]  I  tiny  (y / )  g  — > !  x[&,-  (y/ )  .P/j  |  (v  y y )  (Py  |  Q) 

Then  i->  is  defined  similarly  as  Definition  3.2.  The  linear 
typing  rules  are  given  in  Appendix  A.  All  arguments  and 
results  in  the  preceding  sections  carry  over  to  the  full  syntax 
without  alteration.^ 

Let  us  say  A  is  closed  when  md(/l)  C  {!,X}.  Now  write 
r  E  P  when  P  JJ.  (vy)(xiii/(z)Po|P)  with  x  ^  {y}  where 
r  h  P  t>  A®  t  ^  with  A  closed.  We  then  define  =sn  as  the 
maximum  typed  congruence  such  that  if  T  h  P  =sn  Q  and 
r  E  P  0}  then  T  E  g  JJ{  (cf.  [2 1 , 40]).  We  use  the  following 
two  lemma  about  =sn,  which  is  proved  as  in  [8]. 

Lemma  5.1  (context  lemma)  Let  F  E  Py  >  A  (_/  =  1 , 2)  with 
r  paired.  Then  P\  P2  iff:  P\  |P  JJ',  <=>  P2IP  JJ'(/or  each 
E-x  :  [01,2]^  \-  R  \>  B  s.t.  A  ^  B. 

5.3.  Embedding  and  Full  Abstraction 

The  encoding  of  is  given  in  Figure  4.  It  adapts  Mil¬ 

ner’s  call-by-name  encoding  [28]  to  our  type  structure  by 
adding  an  indirection  at  each  ^-abstraction.  The  basic  cor¬ 
respondence  result  follows.  Note  that  in  the  second  state¬ 
ment,  there  is  an  exact  operational  correspondence  between 
and  1-4-  :  is  simulated  by  t-f  directly,  not  up  to  some 

semantic  equality. 

Proposition  5.2  Let  EP  M  .T  below  with  fnJP)  =  {y}. 

i,  E°  ■  u  T°  [[M  :  P]],,  >!«—>■  ?y  is  well-typed. 

ii.  M-^M'  ^  iMi,  m. 

Corollary  5.3  P->,x,+  is  strongly  normalising. 

PROOF:  By  Theorem  3.9  using:  if  [[Ai],,  =  [[A2]],,  with  A/ 
in  normal  form  then  A|  =„  A2.  ■ 

The  above  corollary  offers  a  faithful  computational  embed¬ 
ding  of  ^_^,x.+  :  we  now  show  that  this  also  extends  to  se¬ 
mantics.  First,  by  Proposition  5.2  and  Corollary  5.3: 

Lemma  5.4  (computational  adequacy)  Let  M  -.Mbe  closed. 
Then  M  JJ  true  ifflM]],,  JJ^  [[true]],,. 

Corollary  5.5  (soundness)  [[PEA/:  P]]„  =sn  [[PEA:  P]]„ 
implies  E\-  M  =xN  :T. 

"A  minor  change  is  Proposition  2..X  (i):  for  a  f-channel,  “precisely 
once”  becomes,  under  a  branching  input,  "precisely  once  in  each  branch”. 
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(Type)  unit°  (0^)'  {h=^T2)°  =  {T°{T^y)'  (Ti  xTiS  i(T°T.,yy  (r,  +  Tj)"  =  ([T,” 

(Base)  r  0  (£  •  .v :  T)°  '^=  £=  ■  .v :  7^ 

(Terms)  (if T?  =  T'12  =>  722  then  z  =  Z]Z2  else  z  =  z) 

IMN  :  T2I,  =!«(?). (vm/!)([[A/  :  T,  =^7-2l]„,  |  \\N  :  r,]]„  |  Arg(m«2)^'^^0 

[[?LV :  7-,  ./W  :  7|  T2I,  =' '  m(.v-).2(»0[[W  :  Tj]],,, 

[[(M,,  M.)  :  r,  X  T2I,  ='  !i<(c).f(m|/H2)([[W|  :  T'lllm,  1 11^2  :  T?]],,,.,) 

[[jci  {M):T]]\,i  '^=  \ii{z).{vm){[[M  :T]  x  Ti]],,,  |  Proj,  ) 

10  ;unit|l„  “'=  !i({.v)..v 

[[inl(A7) :  Ti  +7'2]]„  ='!  i((c).cinl(m)[[A7  :  Ti]],,, 

[[case  L  of  inl(.V|)A7|  or  inr(.r2)A/2  :  T'J,, 

^:'!,<(5).(v/)([[7.:  r,  +7-2]],|Sum(/r,(.v,)W,)'') 

We  omit  inr(Af)  and  7i2(A7).  For  the  copy-cats  of  unary  types  wc  assume  the  indexing  sets  to  be  singletons. 

Figure  4.  Encoding  of  X  v,^,- 


Arg(;;i/;c)^'^^-  ='  m{n'c'){[n'  -2  n|^°  |  c' {ii').Con{ii'z)^"° ) 

Proj,(mO^  '=  /«(e)e(viV2).Con(v,2)^° 

Sum(/c,  (.v,)A7,)^ 

7(c)r[&|,2(-v,).(v»i)([[A/,  :  r[|„,  [  Con(m0^°)| 

Con(.v.Or^)'  =^v(,)^)n[.v;->y,]^ 

[.,  _>  V]&,(r)‘  ‘If  4&,(y,}.7in,(?^)n,yyr  ->  y,,|^| 
yp,(f,)'  “If  !.v[&,(y,).?in,(yOn„[y^  y„|^l 


For  completeness,  we  use  a  specific  class  of  linear  pro¬ 
cesses.  Let  us  say  P  is  sequential  [8]  if  it  is  typable  by 
the  same  system  as  Figures  2  and  rules  in  Appendix  A.  aug¬ 
mented  with  the  sequentiality  constraint  in  Figure  I  of  [8). 
A  key  lemma  for  completeness  follows. 

Lemma  5.6  (sequential  testability)  Let  E‘=  \:S  and 
E"  -u-.r  1-  P„  0  !// ®  7y  (/I  =  1 ,2).  Then  F,  P2  iff: 

1  Pi  10)11;  O  (n,p,[^2l0)  ('=1.2) 

for  each  sequential  y  i  :  S°  h  Rj  t>  !y,  and  sequential 
u  :  T°,x  :  [01,2]^  F  Q  t>  t-V. 

For  the  proof,  we  use  Lemma  5.1,  and  by  assuming,  via 
Theorem  3.9,  the  context  to  be  in  NF,,.  we  obtain  FI,/?,  and 
0  of  desired  types. 

The  final  step  is  to  show  that  each  process  with  X  ,  ;<,  *  - 
types  is  translatable  to  a  canonical  normal  form  [4,  22] 
(CNF)  whose  grammar  is  given  below. 

F  ::=  0  I  .V  I  Ex.F  \  {FuF.)  \  in,(P)  | 

let  0  =  c  in  P  [  let  .v  =  zF  in  F' 
let  (.v,y)  =  4  in  P  |  case  .v  of  {in, (.v,)./;} 

Wc  omit  the  typing  and  reduction  rules.  CNFs  arc  translated 
to  ^  >,x,4  -terms  in  the  standard  way  without  changing  their 
compositional  behaviour,  which  wc  write  F°  (sec  [41]  for 
definition).  The  range  of  this  map  exhausts  all  normal  forms 
of  ■  Wc  can  now  prove: 


Proposition  5.7  (definability)  Let  E  '  -u  :  P  '  F  P>  Itt  — >  ?y 
sequential  with  fn(P)  =  {y}.  Then  P  ![P°]]»  ./ttf  some 
P  F  P  :  P 

The  proof  is  by  induction  on  the  si/.e  of  sequential  processes 
under  all  X  .,x,  •  -bases  and  types.  We  can  now  establish  full 
abstraction. 

Theorem  5.8  (full  abstraclion)  EX  M\  =>_  Mo  :  T  iff 
P^-n:P^F[[;W,  ;P]]„S,„[[A72:P]]„. 

Proof:  By  Corollary  5,5.  we  only  have  to  show  the 
‘'then”  direction.  Suppose  M\  —y  AF  but  [[Mi))„ 
[[‘FPlli,-  By  the  latter,  take  HP,  and  0  as  in  Lemma  5.6 
s.t.  (vy»)(nP,  |[[M,)[„[0')  J),  [[b,[)„,  (/  =  1,2)  with  0'  = 
!iv(.v).0,  bi  —  true  and  b.  =  false.  By  Proposition  5.7, 
wc  have  P  and  P'  s.t.  (\v.P'’.r)M,P‘"  JJ.  b,  (/  =  1,2),  which 
contradicts  Lemma  5.4,  hence  done.  ■ 

6.  Discussion  and  Further  Work 

Summary  The  present  study  is  part  of  our  quest  to  ar¬ 
ticulate  significant  classes  of  computational  behaviour  us¬ 
ing  typed  7i-calculi,  Previous  work  [8]  introduced  affine, 
sequential  types  for  the  7i-calculus  and  established  full  ab¬ 
straction  for  an  encoding  of  PCF.  Using  causality  between 
names,  the  present  text  refines  aftinc,  sequential  types  into 
linear  types  to  ensure  strong  normalisability  and  full  ab¬ 
straction  for  P.  >_x,^-  Figure  5  shows  the  relationship  be¬ 
tween  these  results. 
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PCF  FA  A,^«FC 


Figure  5.  A  Family  of  Affine/Linear  Systems 


•  The  addition  of  branching  types  is  indicated  by  &,  — >■ 
adds  causality  to  action  types,  and  Seq  stands  for  the 
inclusion  of  the  sequentiality  constraints  used  in  [8]. 

•  Determinacy,  SN  and  sequentiality  are  properties  guar¬ 
anteed  by  each  typing  system. 

•  FC  denotes  full  completeness  of  the  embedding  of  the 
corresponding  ^-calculus  into  the  Jt-calculus  (in  the 
sense  of  [3]),  while  FA  stands  for  full  abstraction. 

For  example,  the  linear  typing  system  in  §  2  corresponds  to 
Aff  +  — >■,  its  branching  extension  in  §5  to  Aff  +  &  +  — >  and 
the  sequential  system  in  [8]  to  Aff  +  &  +  Seq.  Note  also  that 
the  development  in  §  5  shows  that  our  encoding  is  already 
‘almost’  fully  complete  intensionally  and  indeed  becomes 
fully  complete  by  quotienting  with  the  observational  con¬ 
gruence.  It  is  also  notable  that  we  could  have  used  the  call- 
by-value  encoding  in  [28]  to  obtain  exactly  the  same  result, 
indicating  the  flexibility  of  the  proposed  calculus  to  encode 
functional  SN  behaviour. 

Liveness  in  Interaction  A  consequence  of  strong  nor- 
malisability  is  liveness  in  interaction:  if  a  typed  agent  calls 
another  replicated  typed  agent  and  waits  for  its  answer  at 
a  truly  linear  channel  x,  then  an  answer  is  guaranteed  to 
eventually  arrive  at  x,  however  complex  intermediate  inter¬ 
action  sequences  would  be.  Below  see  §  5.2  for  the  notion 
of  closed  action  types. 

Proposition  6.1  (linear  honesty)  Let  F  l-  x:  (t)'  be  such  that 
md(t)  ='[".  Suppose  F  h  P  i>  A  with  A  closed.  Then  P  P' 
implies  P'  — ^  where  I  is  an  output  at  y. 

We  can  strengthen  Proposition  6. 1  by  incorporating  the  pos¬ 
sibility  that  the  client  itself  interacts  with  the  server  towards 


the  eventual  answer  [18].  The  central  point  of  the  present 
liveness  property  is  that,  in  spite  of  such  nested,  complex 
webs  of  procedure  calls,  each  client  is  still  guaranteed  to 
receive  an  answer,  strengthening  preceding  related  type  dis¬ 
ciplines,  cf.  [24, 25, 40]. 

State  and  Non-functional  Control  It  is  an  important  sub¬ 
ject  of  study  to  extend  our  typing  system  to  allow  incor¬ 
poration  of  state  and  non-functional  control.  The  resulting 
calculi  would  be  useful  as  a  theoretical  basis  for  the  appli¬ 
cation  of  SN  in  a  wider  realm.  Such  a  formalism  might 
also  be  useful  as  a  meta-language  for  logical  systems  with 
e.g.  non-deterministic  cut  elimination  procedures. 

So  far  we  have  verified  that  our  proof  method  is  also  ap¬ 
plicable  to  SN  for  first-order  stateful  processes,  albeit  un¬ 
der  a  sequentiality  constraint  [8].  We  foresee  no  fundamen¬ 
tal  difficulty  in  extending  the  results  to  concurrent  stateful 
computation,  although  the  lack  of  the  Church-Rosser  prop¬ 
erty  would  make  reasoning  harder. 

Complex  Causality  The  present  work  adds  minimum 
causality  to  the  system  in  [8]  to  ensure  SN  of  replicated 
processes.  However,  our  SN  proof  seems  to  be  able  to  cope, 
without  significant  change,  with  more  complex  causality  re¬ 
lations:  for  example,  we  could  relax  the  channel  type  con¬ 
straints  and  extend  action  types  to  finite  graph  structures  be¬ 
tween  arbitrary  linear  nodes  as  in  [40].  An  even  wider  class 
of  SN  interactions  would  be  typable  if  we  further  allowed 
edges  of  the  more  general  form  px  — >•  qy,  where  p  6  {i,ti  ?} 
and  q  G  (i-e.  replicated  and  linear  nodes  can  be 

mixed).  Diverse  structures  would  be  embeddable  in  such  an 
extension,  including  full  proof  nets  [7].  The  status  of  strong 
reduction  would  become  subtle  in  this  setting,  cf.  [12]. 

Second-order  and  Other  Extensions  Can  the  presented 
results  be  augmented  to  cover  more  expressive  notions  of 
types  studied  in  functional  calculi?  Adding  recursive  types 
[29,39]  easily  leads  to  a  system  that  is  not  strongly  nor¬ 
malising:  for  example,  the  encoding,  following  Figure  4,  of 
(Xjr.xjr)(Ajc.xx)  would  be  typable.  Regarding  second-order 
types,  our  recent  work  [9]  demonstrates  that  such  extensions 
coexist  harmoniously  with  SN,  as  they  do  in  the  correspond¬ 
ing  functional  calculi.  In  particular,  the  causality  constraints 
formalised  in  the  present  paper  are  sufficient  to  encode  Sys¬ 
tem  F  fully  abstractly  in  the  second-order  extension  of  the 
present  system.  Other,  more  refined  type  structures  would 
also  be  worth  studying  in  the  present  context:  the  7t-calculus 
offers  a  natural  habitat  to  SN  typing  systems  for  stateful,  in¬ 
teractive  and  mobile  computation. 

Game  Semantics  In  game  semantics,  “winning  strate¬ 
gies”  represent  strong  normalisation  [3].  This  representa¬ 
tion  ensures,  essentially  by  definition,  that  composition  of 
two  winning  strategies  will  never  go  into  infinite  x-actions 
(which  would  make  the  strategy  partial).  This  extensional 
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representation  of  SN  does  not  directly  suggest  concrete  type 
disciplines  to  ensure  SN  for  mobile  processes  (although  the 
liveness  property  discussed  in  Proposition  6.1  closely  corre¬ 
sponds  to  the  games-based  characterisation  of  SN).  On  the 
other  hand,  the  present  work  may  offer  new  ways  to  formu¬ 
late  the  notion  of  SN  in  game  semantics,  where  acyclicity 
conditions  are  explicitly  incorporated  into  game  types. 
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A.  Appendix:  Typing  Rules  for  Branching 

(Bra')  (C,/y,  =  W)  (Sel”)  (C,/.y,-  =  A  x  ?a-) 

rF.v;[&,T,]'  rF.r:[e,T,f 

r ■  y, :  T,  h  p, 0 q'  r •  y,  p>c 

rh  -v[&;(y,-: X/).P,] i>  !.v  -y  B  P h  xin(y,' :  Ti)Pt>AQ9.x 
(Bra^)  and  (Scl^)  arc  defined  similarly. 
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A  symbolic  labelled  transition  system  for  coinductive  subtyping  of  F^<  types 
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Extended  Abstract 


Abstract.  F<  is  a  typed  1-calculus  with  subtyping  and 
bounded  polymorphism.  Typechecking  for  F<  is  known  to 
be  undecidable,  because  the  subtyping  relation  on  types  is 
undecidable.  F^<  is  an  extension  of  F<  with  recursive  types. 
In  this  paper,  we  show  how  symbolic  labelled  transition  sys¬ 
tem  techniques  from  concurrency  theory  can  be  used  to  rea¬ 
son  about  subtyping  for  F^<.  We  provide  a  symbolic  labelled 
transition  system  for  Fp<  types,  together  with  an  an  appro¬ 
priate  notion  of  simulation,  which  coincides  with  the  existing 
coinductive  definition  of  subtyping.  We  then  provide  a  ‘simu¬ 
lation  up  to '  technique  for  proving  subtyping,  for  which  there 
is  a  simple  model  checking  algorithm.  The  algorithm  is  more 
powerfid  than  the  usual  one  for  F<,for  example  it  terminates 
on  Ghelli’s  canonical  example  of  nontermination. 

1  Introduction 

Symbolic  labelled  transition  systems  [11]  have  been  used  in 
concurrency  theory  to  provide  finite-state  representations  of 
infinite  systems.  They  have  been  used  to  model-check  sys¬ 
tems  with  data  dependencies,  where  the  niave  state  space 
exploration  technique  would  produce  an  infinite  state  space, 
and  so  not  terminate. 

In  this  paper,  we  apply  symbolic  Its  techniques  to  a  new 
problem  area:  that  of  deciding  subtyping  for  polymorphic  1- 
calculi. 

Subtyping  and  polymorphism.  Curien  and  Ghelli’s  [5]  F< 
is  a  typed  /^.-calculus  with  bounded  polymorphism  and  sub¬ 
typing.  It  is  based  on  Bruce  and  Congo’s  [2]  development  of 
Cardelli  and  Wegner’s  [3]  Fun  language. 

The  most  interesting  rule  in  F<  is  that  for  subtyping  of 
polymorphic  types: 

rhU<7'i  Y.X  <T-,FUi  <U^ 

- i -  ~  -■■■-  (Full  F<) 

Th- (VX  <  Ti .  t/| )  <  (VX  <  72  •  Uo) 

This  is  a  stronger  rule  than  the  rule  used  in  Fun,  which  is: 

r.x<7ht/,  <t/2 

— — — - (Kernel  F<) 

n-(vx<7.t/i)<(vx<  7.1/2) 


It  is  routine  to  develop  an  algorithm  to  check  the  subtyping 
property  of  Kernel  7<,  but  subtyping  for  Full  F<  has  turned 
out  to  be  surprisingly  complex.  Curien  and  Ghelli  [5]  gave 
an  algorithm  for  checking  subtyping,  with  a  correctness  proof 
provided  by  Ghelli  [7].  Later,  Ghelli  [9]  showed  that  this  al¬ 
gorithm  is  not  guaranteed  to  terminate.  Pierce  [14]  showed 
that  Ghelii’s  example  of  nontermination  can  be  generalized 
to  code  a  Turing  machine,  and  so  subtyping  (and  hence  type¬ 
checking)  for  F<  is  undecidable. 

Subtyping  and  recursive  types.  Recursive  types  are  a 
common  programming  language  feature,  typified  by  ML’s 
datatype  construct.  Amadio  and  Cardelli  [17]  investi¬ 
gated  the  relationship  between  subtyping  and  recursive  types. 
Brand  and  Henglein  [1]  reformulated  subtyping  in  terms  of 
coinductive  relations  on  types,  which  we  will  use  here.  The 
coinductive  presentation  of  type  systems  for  subtyping  in 
the  presence  of  recursive  types  has  been  used  by  Pierce  and 
Sangiorgi  [16]  for  the  n-calculus.  Turner  [20]  for  Piet  and 
Sewell  [19]  for  a  distributed  rr-calculus.  A  good  introduction 
is  by  Gapeyev,  Levin  and  Pierce  [6]. 

Ghelli  [8]  has  investigated  the  relationship  between  sub¬ 
typing,  recursive  types  and  polymorphic  types,  in  the  recur¬ 
sive  extension  to  F<,  called  F,<.  He  has  shown  a  number  of 
surprising  results:  adding  recursion  to  F<  is  not  conservative, 
and  does  not  satisfy  the  transitivity  elimination  property. 
These  results  are  for  the  inductive  definition  of  subtyping, 
however,  where  here  we  look  at  the  coinductive  definition, 
which  is  much  better  behaved.  Colazzo  and  Ghelli  have  pro¬ 
vided  an  algorithm  for  deciding  subtyping  of  Kernel  Fp<  [4]: 
much  of  this  paper  is  based  on  that  algorithm. 

Symbolic  labelled  transition  systems.  Labelled  transition 
systems  are  a  form  of  nondeterministic  automaton,  where  all 
states  are  considered  to  be  accepting  states.  They  were  pro¬ 
posed  by  Milner  [12,  13]  as  an  appropriate  model  for  con¬ 
current  systems.  They  have  since  been  used  to  model  higher- 
order  computation,  for  example  Gordon’s  [10]  Its  model  of 
the  simply-typed  7-calculus. 
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One  problem  with  Its  models  is  that  they  can  produce  in¬ 
finite  models  of  systems  which  should  be  finite-state.  For 
example,  the  process  defined: 

P  =  in  (x  :  int);out  (.r-f  1);P 

has  transitions: 

(P)  —  (out  (n-h  1);P)  - ^ [P] 

for  every  integer  n  and  so  is  infinite-state.  Hennessy  and 
Lin  [11]  proposed  using  symbolic  labelled  transition  sys¬ 
tems  as  an  appropriate  finitary  representation.  A  symbolic 
Its  includes  free  variables,  so  rather  than  having  nodes  being 
closed  processes,  and  edges  labelled  with  closed  expressions, 
the  nodes  are  processes  together  with  their  free  variables,  and 
the  edges  are  labelled  with  open  expressions.  For  example: 

(F  P)  (x  :  int  h  out  (x-|-  1);P)  (x  :  int  h  P) 

Unfortunately,  this  system  is  still  infinite-state,  since  the  con¬ 
text  can  grow  unboundedly: 


(F  P)  - '  - ►  (x  :  int  F  out  (x-f  1 ): P) 


(x  :  int..v  :  int  F  P) 

For  this  reason,  symbolic  techniques  often  work  ‘up  to 
garbage  collection’  where  unneeded  free  variables  can  be  re¬ 
moved  from  the  context.  For  example,  the  above  process  can 
be  given  a  finite  symbolic  representation  as: 

p)  - L — LL  (,v  :  int  F  out  (x-f  1);P) 


(x  :  int  h  P) 

Symbolic  Its’s  have  been  used  to  provide  finite-state  repre¬ 
sentations  of  systems  that  would  otherwise  be  infinite-state. 

Contributions  of  this  paper.  In  this  paper,  we  apply  the 
techniques  of  symbolic  labelled  transition  systems  to  the 
problem  of  subtyping  In  particular,  we: 

•  Give  an  alternative  characterization  of  subtyping  for 
Pp<,  as  polar  simulation  for  an  appropriate  symbolic  Its. 

•  Use  a  variant  of  Milner  and  Sangiorgi’s  [18]  bisimula¬ 
tion  up  to  method  to  give  a  sound  proof  technique  for 
subtyping. 


•  Provide  an  algorithm  for  finding  an  appropriate  polar 
simulation,  if  one  exists. 

•  Show  that  the  algorithm  is  partially  correct:  if  it  termi¬ 
nates,  it  does  so  with  the  right  answer. 

•  Show  that  the  algorithm  is  strictly  more  powerful  than 
the  standard  algorithm  for  P<,  and  at  least  as  powerful 
as  Colazzo  and  Ghelli’s  algorithm  for  Kernel  /><■ 

Acknowledgements.  I  would  like  to  thank  Benjamin 
Pierce,  James  Riely  and  Peter  Sewell  for  useful  discussions 
about  this  material.  Donald  Knuth’s  TgX  typesetting  system, 
Leslie  Lamport  et  al.'s  DTgX  document  markup  language, 
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2  The  type  system  of 

In  this  section,  we  review  the  types  system  used  in 
Ghelli’s  [8]  F^,<.  There  are  some  minor  syntactic  differences 
between  the  types  presented  here  and  Ghelli’s,  but  they  are 
equally  expressive.  We  have  added  type  constants  such  as  int 
and  real  to  the  language,  to  make  examples  clearer,  they  are 
not  required  for  any  of  the  technical  development. 

Let  K  range  over  a  finite  collection  of  type  constants,  such 
as  int  and  real.  The  syntax  of  types  is  given: 

T.U.V  ::=  T U \Top  \  K \^X  <  T  .U  \  p' X  .T  \  X 

Define  xhefrcc  variables  of  a  type  as: 

fv(7)  =  fv^jTlUfv-fr) 

where  the  polarized  free  variables  are: 

fv"^(7'->U)  =  fv=(r)Ufv=(U) 

fv~(Top)  =  0 
fv^(X)  =  0 

fv^(vx<r.u)  =  fv-(r)u(fv±(u)\{x}) 

fv=(q*x.r)  =  fv-(r)\{x} 
fvMX)  =  {X} 
fv-(X)  =  0 

A  type  context  is  a  sequence  of  variables  with  type  bounds: 

F.A  ::=  X,  <  T, . . . .  .X„  <  7], 

where  we  ignore  the  order  of  bindings.  The  domain  of  a  con¬ 
text  dom  (T)  is  defined: 


dom(X,  <  r,.....X„  <  7],)  =  {X,,...,X„} 


When  X  e  dom  (F)  we  define  r(X)  as: 

{r,X<T){X)  =  T 

The  well-formed  context  judgment  F  I-  o  is  defined: 


FhF 


-[X^dom(F)] 


Oho  F,X<rho^ 

where  the  well-formed  type  judgment  F  h  F  is  defined: 


A  well-formed  relation  on  types  a.  relation  on  well- 
formed  types  F  h  r  such  that  if  (Fi  h  Fi)  (F2  h  F2) 
then  F]  =  F2.  We  shall  often  write  F  h  Fi  F2  when 
(F  h  Fi)  (F  h  F2).  For  example,  the  inductive  subtyping 
relation  <  gives  a  well-formed  relation  on  types: 

Ft=F<f/  iff  FhF<t/ 

We  regard  well-formed  relations  on  types  up  to  a- 
equivalence,  so  we  can  complete  the  diagram: 


FhF  Fhf/ 
FhF-^17 


Fho  Fho  r,X<T\-U 
FhTop  FhA"  FhVX  <  F.t/ 


F,X<Fho 
F,X  <  FhZ 


F,X<TophF 
Fh;U+X.F  ^ 


0fv-(F),F#F] 


Note  that  we  have  required  X  to  occur  positively  in  F  in  any 
recursive  type  p'^X  .  F,  and  that  we  cannot  form  recursive 
types  of  the  form  .  Y.  These  restrictions  do  not  limit  the 
expressive  power  of  the  type  system,  since  for  any  T{X)  we 
can  find  T'{X,X')  such  that: 

T{X)==T'{X,X) 

X^fv-(F'(X,X'))  X'^fv+(F'(X,X')) 


(FhF) 

YjX 


(Fht/) 


Y/X 


(FhF) 


as  Y/x 


(r  h  F')  (F'  h  U')  (F'  h  F')  -S-  (r  h  U') 


(Fhf/) 
Y/x 


A  well-formed  relation  on  types  is  sound  for  subtyping  if, 
for  every  instantiated  subtyping  rule: 


FihFi<f/i  F„hF„<f/„ 

Fh  F  <  f/ 


we  have: 


if  F|  h  Fi  diUi  and  ...  and  F„  h  T„  then  Fh  F 


then  we  can  define: 

pX.T{X)  =  p+X,.F'(Xi,;U+X2.F'(X2,Xi)) 


A  well-formed  relation  on  types  is  consistent  with  subtyp¬ 
ing  if  it  is  sound  for  subtyping,  and  whenever  FhF  t/  we 
can  find  an  instantiated  subtyping  rule: 


and  we  can  give  a  greatest  fixed  point  semantics  for/rX .  F  as: 

Top  ifX  =  F 
Y  otherwise 

We  define  a-equivalence  on  well-formed  types  as  (when 
Y  ^  dom  (F)): 

Y IX 

(F,X  <  [/  h  F)  =  (F[y/X],F  <  U  h  F[F/X]) 

We  assume  an  ordering  K\  <  Ki  on  type  constants,  for  ex¬ 
ample  int  <  real.  This  is  extended  to  an  inductive  subtyping 
judgment  F  h  Fj  <  F2  defined: 

F  h  F2  <  Fi  F  h  [/i  <  t/2 
FhF<F  Fh  (Fi^f/i)  <  (F2^{/2) 

Ki  <K2 

F  h  F  <  Top  F  h  Xi  <  X2 
FhF2<Fi  F,X  <  F2  h  f/i  <  172  FhF(X)<F 
Fh  (VX  <  Fi  .f/i)  <  (VX  <  F2.C/2)  FhX  <  F 
rhFi[(/j+X  .  Fi)/X]  <  F2  F  h  F,  <  T2[(p+X  .  F2)/X] 
Fh(/7+X.Fi)  <F2  FhFi  <  (^+X.F2) 


FihFi<f/|  ■■■  F„hF, 

Fh  F  <  17 

such  that: 

Fi  h  Fi  ^  [/]  and  . . .  and  F«  h  F„  Un 

Let  the  coinductive  subtyping  relation  C  be  the  largest  rela¬ 
tion  consistent  with  subtyping. 

Proposition  1  <  is  the  smallest  relation  consistent  with  sub¬ 
typing,  and  so  <  Cn. 

3  Motivation  for  the  symbolic  Its  semantics  for 

This  paper  provides  an  alternative  characterization  of  subtyp¬ 
ing  for  Ffj<,  using  a  symbolic  labelled  transition  system.  By 
recasting  coinductive  subtyping  as  an  Its,  it  is  possible  to  use 
existing  tools  from  concurrency  theory,  notably  Milner  and 
Sangiorgi’s  bisimulation  up  to  technique. 

The  Its  has  well-formed  types  as  nodes,  and  edges  which 
reflect  the  structure  of  the  type.  For  example,  the  Top  type 
has  no  transitions: 

(FhTop)  ^  (F'hF') 
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and  the  type  constants  have  transitions  with  their  name: 


(rhint)  ^  (PhTop)  (r  h  real)  ^  (Ph  Top) 


relation  >  is  a  polar  simulation  if  it  acts  as  a  simulation  on 
positive  labels,  and  on  negative  labels  we  can  complete  the 
diagram: 


We  can  think  of  the  subtyping  relation  as  a  simulation  [13] 
relation:  if  7  is  a  supertype  of  U  then  any  transition  of  T 
must  have  a  matching  transition  from  U .  For  example  we 
can  complete  the  following  diagram: 


(F  real)  (h  int)  (h  real)  ^  (h  int) 


real 

as  real 

^  > 

(h  Top)  (F  Top)  (F  Top) 


(PFr,)  ^  {r\-T2 


(PFTi)  ^  (PFr2) 


as  a“ 


t  +  ^  -u- 

(P'  F  T')  (P'  F  7/)  ^  (P'  F  T{) 

To  cope  with  recursive  types,  we  allow  silent  actions  X,  where 
recursive  types  can  silently  unwind: 


(P  F  p+X .  7)  (P  F  T\jj+X  .  T/X]) 


We  define  the  ‘matching  transition  relation’  ==>  formally 
in  Section  4,  for  the  moment  we  will  just  say  that  it  includes 
,  but  also  includes: 

(PFint)  (PFTop) 


For  example,  if  we  define: 

7  =  /j+X.int^X  [/- //+P.  int realty 

then  we  have  a  polar  simulation  for  T  >U,  since  we  define 
the  matching  transition  relation  to  ignore  x  actions: 


This  notion  of  a  ‘matching  transition  relation’  is  standard  in 
process  calculi,  where  it  is  used  to  define  weak  bisimula¬ 
tion  [13].  In  general,  a.  simulation  >  is  a  well-formed  relation 
on  types  where  we  can  complete  the  diagram: 

(PF7,) (PFP.)  (PF7i) (PF72) 


a 

as 

a 

4, 

(P'H7|')  (P'F7|')  (P'FT,') 

Function  types  have  domain  and  codomain  transitions: 
(PF7-^(y) 

(PF7)  (P^f/) 


(F  int)  - — — ►  (F  int) 


(Fint->7)  - - - ►  (F  int —t  real -t  {/) 


Since  function  types  are  contravariant  in  their  first  argument 
and  covariant  in  their  second  argument,  we  introduce  polar¬ 
ity  to  labels:  dom  is  negative  polarity,  and  cod  is  positive 
polarity.  This  is  important  when  we  consider  the  subtyping 
relation,  for  example: 

(F  int  ->  real)  - - - ►  (F  real  int) 


Since  we  are  giving  a  semantics  for  types  with  free  vari¬ 
ables,  we  need  to  give  variables  transitions:  they  can  either 
announce  themselves,  or  behave  like  their  bound: 


(FhX) 


(PFTop)  (PFP(X)) 

For  example,  X  <  int  1=  int  >  X  since: 

(X  <  int  F  int)  (X  <  int  F  X) 


Note  that  after  a  dom  transition,  the  subtyping  relation  is  in-  |  J],'" 

verted,  but  after  a  cod  transition,  it  is  not.  A  well-formed  <  int  F  Top)  (X  <  int  F  Top) 
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Finally,  we  are  left  with  the  meat  of  the  problem:  modelling  If  we  define: 
bounded  polymorphism.  Modelling  Kernel  is  not  too 

difficult,  we  just  add  transitions  which  reveal  the  structure  of  r„  =  Xq  <  G,Xi  <  Xq,  . . .  ,X„  <  X„_i 

a  polymorphic  type:  ^  ,  ’ 


(FhVX  <  T.U) 

)und  /  \  VX<7' 


then  r„  1=  C„  >  Xn  for  every  n  since: 


(FFT) 


(r,x<7'ht/) 


For  example,  1=  (VX  <  int.int)  >  (VX  <  int.X)  since: 


(F  VX  <  int .  int) 


VX<int 


--JFVX<  int.X) 

bound II _ 

VX'<int 


(F  int)  (F  int) 


(X  <  int  F  int) 


(X  <  intFX) 


(F  VX  <  int .  int) 

I  X^^bound 

V,Y<int 


-JF  VX  <  real.X) 

bound II 

yx<int 


(F  int)  «  (F  real) 


(X  <  int  F  int) 


(X  <  intFX) 


(FF  VX  <  Zn.f/n) 


(FFVX  <T,  ./7|) 


(r„  F  Gn) 


(r„Fx„) 


VY„.C|<Y„ 


(r„+i  F  -x„ 


{rFX„)  ^  (FI- Top) 


VY„,,<Y„ 


(r„+l  F  --Gn+i) 


In  order  to  model  Full  F^<,  however,  we  have  to  allow  the 
bound  of  a  polymorphic  type  to  vary.  We  do  this  by  adding 
an  additional  transition  to  the  matching  transition  relation: 

VY<V' 

(FFVX  <  r.G)  (F,X  <  FFG) 

For  example.  F  (VX  <  int.int)  >  (VX  <  real  .X)  since: 


(F„-i-i  FX„+i) 


(F„+i  F  Gn+]) 


In  general,  since  bound  is  a  negative  label,  it  is  easy  to  see 
that  the  following  diagram  models  the  Full  F^<  rule  for  sub¬ 
typing  bounded  polymorphism: 


(FFF,)  ^  (FFTi) 


(F.X  <  12  Ft/2) 


(F.X  <  TaFt/i) 


As  a  final  example,  we  consider  Ghelli’s  [9]  example  of  non¬ 
termination  of  the  standard  algorithm  for  F<  subtyping: 

G  =  VX.-.(Vr  <X.-F) 

where  we  write  -iF  as  shorthand  for  T  ->  Top,  and  VX  .  T  as 
shorthand  for  VX  <  Top .  T.  Ghelli’s  example  is  to  verify: 

Xo  <  G  F  (VX|  <  Xo  .  -X,)  >  Xo 


In  particular,  Fq  F  Gq  >  Xq,  which  is  Ghelli’s  example.  Note, 
however,  that  in  order  to  show  this  subtyping,  we  had  to  con¬ 
struct  an  infinite  simulation:  we  cannot  just  use  this  Its  di¬ 
rectly  in  a  model  checker  to  get  an  algorithm  for  deciding 
subtyping  of  Fp<.  We  will  return  to  this  problem  in  Section  5. 

4  Definition  of  the  symbolic  Its  semantics  for 

We  now  provide  formal  definitions  for  the  material  discussed 
in  Section  3.  The  syntax  of  positive  labels  a'*',  negative  labels 
a~  and  labels  a  are  given: 

a+  ::=  t  |  dom  |  VX  <  T  |  X 
::=  cod  |  bound 
a  ::=  i  a“ 


The  symbolic  Its  —  is  defined: 

(FFT^G)  ^ 
(FFT^G) 

(FFX)  ^ 
(FFVX<r.G) 
(FFVX<T.G) 

(FFX)  ^ 
(FFX)  ^ 
(FF/J+X.r) 


(FFT) 

(FFG) 

(FFTop) 

(FFT) 

(F,X  <  TFG) 
(FFTop) 
(FFF(X)) 
(FFT^y+X.r/X]) 
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The  symbolic  Its 

is  defined: 

{TYT^U) 

dom 

(rh7) 

(TYT-^U) 

cod 

[YYU) 

(TYK) 

k' 

(ThTop)  (whenX<X') 

(rhvx  <  T.u) 

bound 

(Lh  7) 

(LhVX  <  T.U) 

(rX  <  VLC/) 

(LHX) 

X 

(ThTop) 

(LhX) 

T 

(rhr(x)) 

(rh;U+X.7) 

T 

(rh7[^+X.7/X]) 

(Lh  7) 

T 

(ThT) 

We  write  for  the  transitive  reflexive  closure  of  : 

(rh7)  ^  (r'hr) 
(rhr)=^(rhr) 

a  a  .  .  . 

We  write  ==^  for  the  transition  ignoring  x  actions  *on 

d 

the  left’,  and  similarly  for  =>  ; 


5  Motivation  for  polar  simulation  up  to  polarized 
substitution 

We  have  now  given  an  alternative  characterization  of  coin- 
ductive  subtyping  of  F,<,  but  this  does  not  directly  give  us 
any  benefits.  We  can  now  use  standard  model-checking  tech¬ 
niques  to  check  subtyping,  but  these  only  terminate  when 
they  find  a  finite  polar  simulation.  As  the  Ghelli’s  example 
(discussed  in  Section  3)  shows,  we  can  construct  types  which 
generate  an  infinite  polar  simulation. 

In  this  section,  we  shall  provide  a  proof  technique  based  on 
Milner  and  Sangiorgi’s  [18]  bisimiilation  up  to  methodology, 
which  can  be  used  to  find  finite  representations  of  infinite 
polar  simulations.  It  is  based  on  the  requirement  to  find  fi¬ 
nite  symbolic  graphs  for  process  terms  in  Hennessy  and  Lin’s 
work  [1 1]. 

Polar  simulation  up  to  garbage  collection.  Define  the 
garbage  collection  relation  on  well-formed  types  as  discard¬ 
ing  unused  type  variables,  for  example: 

(X  <  int.  K  <  real  I-  X)  (X  <  int  h  X) 

We  can  use  polar  simulation  up  to  garbage  collection  to  pro¬ 
vide  finite  proofs  of  subtyping,  for  example  if  we  define: 

r-/j-"X.Vr  <  int.X  L  =/7"'X.Vr  <  real.X 


(Th  r) 


(r'hr)  (rh7) 


a  ^  then  we  have  a  finite  proof  that  N  7  >  (7  given  by: 


(rh7)  =>  (r'h  7')  (rb7)=^  (rH7') 

A  polar  siinulation  is  a  well-fonned  relation  on  types  such 
that  we  can  complete  the  diagram: 


(rh7|) (rh72)  (rh7|)  (rb72) 


int)  (h  real) 


(X- 

(r'h7|') 


as  a- 


(V  h  7,')  ^  (r'  h  Tl) 


where  we  write  1^-  for: 


(rh7)  ?(.(rh(/)  (Ft- 7)  f/) 

(rh7)  'Ji+  (Lhi/)  (rh(/)  IK,-  (rh7) 


which  provides  us  with  a  finite  representation  of  the  proof 
that  (=  7  >  (/.  Polar  simulation  up  to  garbage  collection  is 
a  sound  proof  technique,  but  it  does  not  cope  with  Ghclli’s 
example,  since  there  are  no  unused  type  variables. 


Let  >  be  the  largest  polar  simulation. 


Proposition  2  >  is  a  preorder. 
Proposition  3  rt=7>(/(/frt=(yL7. 


Polar  simulation  up  to  substitution.  Our  next  failed  at¬ 
tempt  to  find  a  proof  technique  generalizes  the  notion  of  po¬ 
lar  simulation  up  to  garbage  collection,  by  observing  that  one 
can  often  replace  a  type  variable  by  its  bound,  for  example: 

(X  <  int.  Y  <  X  h  X  K)  [Y  <  int  h  int  K) 
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We  can  try  to  use  this  to  show  subtypings,  for  example 
Ghelli’s  To  1=  Go  >  Xo  from  Section  3  has  a  finite  polar  simu¬ 
lation  up  to  substitution: 


and  positive  substitution  in  the  subtype.  For  example,  we 
now  have  a  valid  finite  proof  of  Ghelli’s  example: 


(FoHXo)  - - 

bound 

(Fot-VXi  <Xo.-Xi) 

VXi<Xo  I 


(Fob  Top) 

tfbound 


(Pof-Xo) 

II  — - 

VXi<Xo 


(FohXo)  ^ - 

bound 

(rohvxi<Xo.-Xi) 
va:,<Xo  I 


(Fob  Top) 

llbound 


(FobXo) 

II  _ _ _ 

VXi<Xo 


(Tib-X,) 
s{Xi<Xo)  ^ 
(Fo  b  -nXo) 


(Fi  b  ^VX2  <  •  -^Xn) 

|s(X,<Xo) 


(Fob-VXi  <Xo.-nX,) 


(F,  b-X,) 

s-  (X,<Xo) 

(Fo  b  -nXo) 


(Ti  b  -nVXn  <  Xi  .  --X2) 
|s-(X,<Xo) 


(Tob-VXi  <Xo.-X,) 


Unfortunately,  polar  simulation  up  to  substitution  is  not  a 
sound  proof  technique,  for  example: 


(bVX  <  int.X)  - 

I  \  bound 


—  (b  VX  <  int.  int) 
bound  II 


(X  <  int  b  X)  (b  int)  -«■  (b  int)  (X  <  int  b  int) 

s(A'<int)  siX^int) 

(b  int)  - - ^ - ►  (b  int) 

As  this  example  shows,  we  cannot  always  just  replace  type 
variables  by  their  bounds,  and  expect  to  get  a  valid  subtype 
relationship. 

Polar  simulation  up  to  polar  substitution.  The  technique 
we  adopt  in  this  paper  is  a  refinement  of  polar  simulation  up 
to  substitution.  The  crucial  observation  is  that  polar  simula¬ 
tion  up  to  substitution  is  sound,  as  long  as  we  only  replace 
negative  occurrences  of  variables  in  the  supertype,  and  posi¬ 
tive  occurrences  of  variables  in  the  subtype. 

Define  the  positive  substitution  relation  as  replacing  any 
positive  occurrences  of  a  type  variable  by  its  bound,  and  un¬ 
defined  if  there  are  any  negative  occurrences,  for  example; 

(X<int,F<XbF^X)  (y  <intbF-^int) 


and  the  counterexample  for  polar  simulation  up  to  substitu¬ 
tion  is  no  longer  a  counterexample,  because  it  does  not  use 
substitution  with  the  right  polarity. 

Polar  simulation  up  to  polar  substitution  is  the  proof  tech¬ 
nique  we  adopt  for  the  rest  of  this  paper. 

6  Definition  of  polar  simulation  up  to  polar 
substitution 

Let  the  garbage  collection  relation  (T  b  7)  ^  (T'  b  7')  be: 

(r,Ab7)  ^  (rh7)  (whenrF7) 

Let  be  a  polar  simulation  up  to  garbage  collection  when¬ 
ever  we  can  complete  any  diagram: 


(rb7i)  (Fb72) 


(Fb7,) 

~  (Fb72) 

a= 

a= 

(U  h  7/) 

(F'  F  7.') 

gcA 

gcA 

(T"  h  7,") 

£►  (T"  F  7.") 

(X  <int,F<XbX->F) 


s'^  (X<int) 


(F  <  intbint^F) 


and  the  negative  substitution  relation  similarly  (but  note  that 
we  always  substitute  positively  in  the  type  context); 

(X<int,F<XbX^F)  £1^^  (F<intbint^F) 

Then  a  polar  simulation  up  to  polar  substitution  is  one  where 
we  are  allowed  to  use  negative  substitution  in  the  supertype. 


(r'  F  7/) 


Define  a  polar  substitution  T[U /X]-  as: 

7[G/X]-  =  7[G/X]  (whenX  ^fv^(7)) 

Define  a  polar  context  substitution  7 [A]*  as: 

7[0]±  =  7 

7[A,X<G]±  =  7[G/X]±[A]±  (when  X  0  fv  (A)) 
Define  a  polar  substitution  relation  (T  b  7)  (T'  h  T')  as: 

(r,Ab7)  (r[A]+ h  7[A]±) 
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Note  that  polar  substitution  generalizes  garbage  collection; 


if  (r  h  7)  ^  (r  h  T')  then  (F  h  7)  ^  (7'  h  7') 

Let  be  a  polar  simulation  up  to  polar  substitution  when¬ 
ever  we  can  complete  any  diagram: 


(rh7,) 


1 


(r  h  7?) 


(rh7i)  ^  (rhT,) 


(r'  h  7,') 


as  (r  h  7/)  (r'  h  T2) 


s^A 


(r"  h  7,")  ^  (r"  h  7") 


We  can  then  show  that  polar  simulation  up  to  polar  substi¬ 
tution  (and  hence  up  to  garbage  collection)  is  a  sound  proof 
technique. 

Proposition  4  If  is  a  polar  simulation  up  to  polar  substi¬ 
tution  and  Ti-T  Hi  U  then  7 7  >  L. 


7  An  algorithm  for  finding  polar  simulation  up  to 
polar  substitution 

Polar  simulation  -m  to  polar  substitution  gives  us  a  proof 
technique  for  s.  owing  subtyping,  which  can  easily  be  con¬ 
verted  into  a  model  checking  algorithm.  Since  Fp<  is  deter¬ 
ministic,  a  simple  breadth-first  search  algorithm  is  sufficient. 
The  algorithm  is  given  in  Figure  1.  The  invariants  for  the 
while  loop  in  the  algorithm  are: 


function  suptype  (7o,7o,f/o)  { 
let !?(.  =  0; 

let5={7ol=7o5f/o}; 

while  (5  0)  { 

let  S  =  0; 

foreach  (7i  F  7i  5f/i)  { 

■  foreach  (7,  F  7i)  (72  F  T2)  { 

if  (a^  =  x)  { 
add  72  N  T2  S'  f/i  to  5'; 

}  else  if  (7i  F  [/,)  ^  (72  F  U2)  { 
let  A  be  the  largest  type  context 

A 

such  that  (72  F  T2)  —  (73  F  73) 
and  (72  F  U2)  —  (73  F  Uf)-, 
add  73  F  73  5'±  Ui  to  5'±; 

}  else  { 
return 

} 

} 

} 

Hi=Hi\JS\ 

S^S'\Hi-- 

} 

return  true: 


1 .  Either  7o  'fTq  HiUo  or  7o  F  7o  5  Uq. 

2.  is  a  polar  simulation  up  to  polar  substitution  mod  S- 

3.  If7oF7o>(/othen(!?i(U5)C>. 


Figure  1 :  The  algorithm 

Proposition  5  For  any  7o  F  7o  and  Tq  F  (/q  we  have: 

I.  If  suptype  (Fo.To.Uq)  returns  true  then  7o  F  7o  >  Uq. 


where  is  a  polar  simulation  up  to  polar  substitution  mod  S 
whenever  we  can  complete  any  diagram: 


(7F  7i)  (7F  72) 

a- 

(7'F7,') 


(7F  7|)  — (7F  72) 


t 

as  {T'hTl) 


s*  A 


s*  A 


(7"  F  7")  (7"  F  T”) 


It  is  not  too  difficult  to  establish  partial  correctness  of  this 
algorithm,  by  establishing  Invariants  1-3: 


2.  If  suptype  {Tq-ToMo)  returns  false  then  7o  F  7o  ^  Uq. 

We  can  show  that  the  algorithm  is  guaranteed  to  terminate  in 
the  case  where  7  F  7  ^  . 

Proposition  6  //  7  F  7  ^  then  suptype  (7, 7,  (/)  termi¬ 
nates. 

We  can  also  show  that  if  there  is  a  finite  polar  simulation 
up  to  polar  substitution,  then  the  algorithm  will  find  it,  and 
so  will  terminate.  For  example,  this  means  the  algorithm  is 
guaranteed  to  terminate  on  Ghelli’s  example. 

Proposition  7  If  there  exists  a  finite  polar  simulation  up 
to  polar  substitution  such  that  7  F  7  !l(^  U  then 
suptype  (7,7,1/)  terminates. 
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Using  this,  we  can  show  that  the  algorithm  is  at  least  as  strong 
as  the  standard  algorithm  for  subtyping  F<.  We  do  this  by 
showing  that  if  F  h  T  >  U  then  we  can  construct  a  finite  polar 
simulation  such  that  F 1-  F  U. 

Proposition  8  If  the  standard  algorithm  for  subtyping  F< 
terminates,  then  suptype  {T,T,U)  terminates  with  the  same 
result. 

Since  our  algorithm  is  at  least  as  powerful  as  the  standard 
algorithm,  but  terminates  on  Ghelli’s  example,  we  have  that 
our  example  is  strictly  more  powerful. 

8  Kernel  F^< 

In  [4],  Colazzo  and  Ghelli  provide  an  algorithm  for  subtyping 
of  Kernel  F,<.  Their  algorithm: 

•  Works  directly  on  the  structure  of  the  types,  rather  than 
via  an  Its  semantics. 

•  Does  not  work  ‘up  to  a-conversion’,  which  results  in  a 
more  efficient  algorithm,  at  the  cost  of  extra  complexity. 

We  can  easily  modify  our  algorithm  to  check  Kernel  sub¬ 
typing,  by  changing  the  matching  transition  rule  for  polymor¬ 
phic  types  to  require  bounds  to  be  matched  exactly; 

(FhVX<F.U)  (F.X<FhU) 


types  T  xU,  and  a  bottom  type  J_:  these  can  easily  be  given 
an  Its  semantics: 

(FhFxt/)  (rh±) 


(FhF)  (Fht/)  (Fh±) 

with  matching  transitions: 


{ThTxU)  (Fhl) 


(rbF)  (FFU)  (FhTop)  (Fhl) 

For  example,  we  can  use  this  semantics  to  verify  one  of 
Pierce’s  [15]  requirements  for  subtyping  with  1,  that  any 
type  variable  bounded  by  J.  is  equivalent  to  J.; 

X<±NX>J-  X<_LNT>X 

In  the  examples,  we  also  use  many  syntactic  abbreviations, 
such  as  defining  equations,  missing  Top  bounds,  and  ignor¬ 
ing  some  T  steps. 

The  first  example  is  a  benchmark  which  checks  that  the  al¬ 
gorithm  performs  enough  garbage  collection  to  find  a  finite 
polar  simulation  up  to  garbage  collection.  It  is  given  in  Fig¬ 
ure  2. 

The  second  example  checks  that  the  algorithm  does  not 
produce  false  positives,  caused  by  collapsing  variables  to¬ 
gether  incorrectly.  It  is  given  in  Figure  3. 


We  can  show  that  this  modified  algorithm  is  as  powerful  as 
theirs  (although  probably  not  as  efficient,  depending  on  how 
a-conversion  is  handled),  by  showing  that  our  algorithm  ter¬ 
minates  on  Kernel  /><• 

Proposition  9  //  F  F  >  (7  in  Kernel  F,<.  then  there  is  a 
finite  polar  simulation  up  to  garbage  collection  such  that 

r^T  diu. 

Together  with  Proposition  7,  this  gives  us  that  our  algorithm 
is  a  decision  procedure  for  subtyping  of  Kernel  F,<. 

Proposition  10  //  F  (=  F  >  U  in  Kernel  F^<,  then 
suptype  (r.T.U)  terminates  with  true. 

9  Colazzo  and  Ghelli’s  benchmark  examples 

We  have  already  shown  that  our  algorithm  terminates  on 
Ghelli’s  example  of  nontermination  of  the  standard  subtyp¬ 
ing  algorithm  for  F<. 

Colazzo  and  Ghelli  [4]  provide  two  motivating  examples 
for  their  algorithm  for  Kernel  ,  which  act  as  useful  bench¬ 
marks  for  our  approach.  The  examples  make  use  of  tuple 


10  Conclusions  and  further  work 

This  paper  describes  an  application  of  symbolic  labelled  tran¬ 
sition  systems,  which  have  previously  been  used  to  model 
concurrent  languages,  to  modelling  subtyping.  This  allows  us 
to  use  the  techniques  from  concurrency  theory,  such  as  sim¬ 
ulations,  and  ‘simulation  up  to’  to  reason  about  subtyping.  It 
also  often  makes  proofs  easier  to  read,  even  in  the  presence  of 
quite  complex  types  such  as  Colazzo  and  Ghelli’s  benchmark 
in  Figure  2. 

This  technique  should  generalize  to  other  examples  such 
as  record  subtyping,  union  types  and  intersection  types.  It 
may  be  that  Gordon’s  [10]  work  on  Its  semantics  for  A.-calculi 
could  be  applied  here,  to  give  a  semantics  of  higher-order 
features  such  as  functions  of  kind  Type  Type.  We  leave 
the  technical  development  of  this  to  future  work. 

The  main  result  which  is  missing  from  the  current  work 
is  a  syntactic  characterization  of  when  the  algorithm  suptype 
terminates.  Also,  we  have  not  discussed  how  a-conversion 
would  be  implemented:  it  should  be  possible  to  define  a- 
conversion  as  a  strong  bisimulation,  and  then  use  polar  sim¬ 
ulation  up  to  strong  bisimulation  as  a  proof  technique.  We 
also  leave  these  issues  for  future  work. 
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(X,  h  T2{X,))  ^ ^ 


h 

TliXi) 

h{X^) 


(kf 

d^f 

def 


VX,.7:(X,) 

def 

VX2.(r3(X,)x7,) 

U2 

def 

X\  X  Top  X  r2(Xi) 

U2{Y2) 

def 

U,{Y2) 

def 

Us{y2) 

def 

VK|  .  U2 

W2.{±  X  U}(Y2)) 

XYi.U,{Y2) 

W^.{Us{Y2)xU2{Y2)) 

±xY2XU2 


(Xi  f-  U2) 


gc.Y. 

I 

(X|.X:ht/2) 


Figure  2:  Colazzo  and  Ghelli’s  first  example;  show  that  ^  T\  >U\ 
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Abstract 

In  this  paper  we  give  a  topological  proof  of  the  follow¬ 
ing  result:  There  exist  2^"  lambda  theories  of  the  untyped 
lambda  calculus  without  a  model  in  any  semantics  based 
on  Scott's  view  of  models  as  partied ly  ordered  sets  and 
of  functions  as  monotonic  functions,  a  consequence 
of  this  result,  we  positively  solve  the  conjecture,  stated 
by  Bastonero-Gouy  (6,  7]  and  by  Berline  [10],  that  the 
strongly  stable  semantics  is  incomplete. 

1.  Introduction 

Lambda  theories  are  consistent  extensions  of  the  lambda 
calculus  that  arc  closed  under  derivation.  They  arise  by 
.syntactical  considerations,  a  lambda  theory  may  corre¬ 
spond  to  a  possible  operational  (ob.scrvational)  semantics 
of  lambda  calculus  (sec  e.g,  [2,  3,  24]),  as  well  as  by  se¬ 
mantic  ones,  a  lambda  theory  may  be  the  theory  of  a  model 
of  lambda  calculus  (sec  e.g.  [3,  10]).  Since  the  lattice  of 
lambda  theories  is  a  very  rich  and  complex  structure  (sec 
e.g.  [3,  10,  24,  25,  49]),  syntactical  techniques  arc  usually 
difficult  to  use  in  the  study  of  lambda  theories.  Therefore, 
semantic  methods  have  been  extensively  investigated. 

Computational  motivations  and  intuitionsjustify  Scott’s 
view  of  models  (see  ]44,  45])  as  partially  ordered  sets  (sets 
of  observations  or  informations)  and  of  computable  func¬ 
tions  as  monotonic  functions  over  these  sets.  After  Scott, 
mathematical  models  of  lambda  calculus  in  various  cate¬ 
gories  of  domains  (sec  [1, 48])  were  classified  into  seman¬ 
tics  according  to  the  nature  of  their  representable  functions 
(sec  ]2,  3,  4,  10,  16,  20,  25]).  Scott’s  continuous  semantics 
[45]  is  given  in  the  category  whose  objects  arc  complete 
partial  orders  and  morphisms  arc  continuous  functions. 
The  stable  semantics  introduced  by  Berry  in  [11]  and  the 
recent  strongly  stable  semantics  introduced  by  Bucciarclli 
and  Ehrhard  in  [  1 2]  arc  strengthening  of  the  continuous  se¬ 
mantics.  The  stable  semantics  is  given  in  the  category  of 
Dl-domains  with  stable  functions  as  morphisms,  while  the 
strongly  stable  one  in  the  category  of  Dl-domains  with  co¬ 
herence,  and  strongly  stable  functions  as  morphisms.  All 


these  semantics  are  structurally  and  equationally  rich  in  the 
sense  that  it  is  possible  to  build  up  models  in  each 
of  them  inducing  pairwise  distinct  lambda  theories  (sec 
[28,  29]).  The  problem  of  the  equational  richness  is  re¬ 
lated  to  the  problem  of  the  complctcness/incompletencss 
of  a  semantics:  are  the  set  of  lambda  theories  determined 
by  these  semantics  equal  or  strictly  included  within  the  set 
of  consistent  lambda  theories? 

The  first  incompleteness  result  was  obtained  by  Hon- 
scll  and  Ronchi  della  Rocca  [25]  for  the  continuous  seman¬ 
tics.  They  proved,  via  a  hard  syntactical  proof,  that  the 
contextual  lambda  theory  induced  by  the  set  of  essentially 
closed  terms  does  not  admit  a  continuousmodcl.  Following 
a  similar  method,  Gouy  [21]  proved  the  incompleteness  of 
the  .stable  .semantics  with  a  much  harder  syntactical  proof. 
Other  more  semantic  proofs  of  incompleteness  for  the  con¬ 
tinuous  and  stable  semantics  can  be  found  in  [7].  Bastoncro 
[6]  provides  an  incompleteness  result  for  the  hypcrcohcr- 
cncc  semantics. 

Bastoncro  ]6,  Section  6],  Bastonero-Gouy  ]7,  Section  7] 
and  Berline  ]I0,  Section  6.1]  conjecture  that  the  strongly 
stable  semantics  is  also  incomplete.  In  this  paper  we  give  a 
positive  answer  to  this  open  question.  We  prove  that  any  se¬ 
mantics  of  lambda  calculus  based  on  Scott’s  paradigmatic 
view  of  models  as  partially  ordered  sets  and  of  computable 
functions  as  monotonic  functions  is  incomplete  if  the  par¬ 
tial  order  admits  a  bottom  element.  This  incompleteness  is 
due  to  2*^“  distinct  lambda  theories.  The  main  theorem  of 
the  paper  unifies  and  subsumes  incompleteness  results  for 
different  classes  of  models  that  have  been  proved  in  differ¬ 
ent  ways,  using  different  approaches. 

The  proof  of  incompleteness  is  based  on  a  general  the¬ 
orem  of  separation  for  topological  algebras.  We  prove 
that  under  a  very  weak  condition,  called  weak  subtrac- 
tivity,  a  topological  algebra  admits  two  elements  0  and  1 
which  can  be  -separated  (i.e.,  there  exist  two  open 
neighbourhoods  of  0  and  1  respectively  whose  closures 
have  empty  intersection).  All  models  of  lambda  calculus 
based  on  Scott’s  paradigmatic  view  arc  topological  alge¬ 
bras  with  respect  to  the  Alexandroff  topology  generated 
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by  the  partial  order  over  the  model.  Posets  such  as  join 
semilattices,  meet  semilattices,  complete  partial  orderings, 
lattices,  posets  with  a  least  element,  posets  with  a  great¬ 
est  element  cannot  have  -separated  elements  w.r.t.  the 
Alexandroff  topology.  Then  the  incompleteness  theorem 
is  determined  by  proving  that  there  exist  2^°  semisensible 
lambda  theories  that  admit  only  weakly  subtractive  models. 

2.  Preliminaries 

To  keep  this  article  self-contained,  we  summarize  some 
definitions  and  results  that  we  will  need  in  the  subsequent 
part  of  the  paper.  With  regard  to  the  lambda  calculus  we 
follow  the  notation  and  terminology  of  Barendregt  (see 
[3]). 

For  the  general  theory  of  lambda  calculus  the  reader 
may  consult  Barendregt  [3]  and  Krivine  [30].  For  the  gen¬ 
eral  theory  of  universal  algebras  the  reader  may  consult 
Burris  and  Sankappanavar  [13],  Gratzer  [22],  and  McKen¬ 
zie,  McNulty  and  Taylor  [32].  The  main  references  for 
topological  algebras  are  Taylor  [52,  53],  Gumm  [23],  Bentz 
[8]  and  Coleman  [14,  15]. 

2.1.  Lambda  theories 

A  denotes  the  set  of  A-terms,  while  .A^  denotes  the  set  of 
closed  A-terms,  where  a  A-term  is  closed  if  it  does  not  admit 
free  occurrences  of  variables. 

Lambda  theories  are  consistent  extensions  of  the  lambda 
calculus  that  are  closed  under  derivation.  Remember  that 
an  equation  is  a  formula  of  the  form  M  =  N  with  A/,  N  € 
A.  The  equation  is  closed  if  A/  and  N  are  closed  A-terms. 
If  T  is  a  set  of  equations,  then  the  theory  \  +  T  is  obtained 
by  adding  to  the  axioms  and  rules  of  the  lambda  calculus 
the  equations  in  T  as  new  axioms.  If  T  is  a  set  of  closed 
equations,  T"*"  is  the  set  of  closed  equations  provable  in  A-f- 
T.  T  is  a  lambda  theory  if  T"*"  =  T  (see  [3,  Def.  4.1.1]). 
As  a  matter  of  notation,  T  F  Af  =  N  stands  for  A  -|-  T  F 
M  =  A';  this  is  also  written  as  M  =7-  N.  [A/]^  =  {A'  £ 

:  T  F  N  =  A/}  denotes  the  equivalence  class  of  the 
closed  A-term  A/. 

The  lambda  theory  'H,  generated  by  equating  all  the  un- 
solvable  A-terms,  is  consistent  [3,  Thm.  16.1.3].  A  lambda 
theory  T  is  called  semisensible  [3,  Def.  4.1.7(iii)]  if  T  1/ 
A/  =  N  whenever  M  is  solvable  and  N  is  unsolvable. 

2.2.  Combinatory  algebras  and  A -models 

An  algebra  C  =  (C,  ■,  k,  s),  where  •  is  a  binary  opera¬ 
tion  and  k,  s  are  constants,  is  called  a  combinatory  algebra 
(Curry  [17],  Schonfinkel  [43])  if  it  satisfies  the  following 
identities  (as  usual  the  symbol  •  is  omitted,  and  association 
is  to  the  left):  k.;-;/  =  x]  sxyz  =  xz{yz).  In  the  equational 
language  of  combinatory  algebras  the  derived  combinator 
1  is  defined  as  1  =  s(ki).  A  function  f  :  C  C  is  called 


representable  if  there  exists  an  element  c  £  C  such  that 
cz  =  f{z)  for  all  z  £  C.  If  this  last  condition  is  satisfied, 
we  say  that  c  represents  map  /  in  C. 

Let  C  be  a  combinatory  algebra  and  let  c  be  a  new  sym¬ 
bol  for  each  c  £  C.  Extend  the  language  of  lambda  cal¬ 
culus  by  adjoining  c  as  a  new  constant  symbol  for  each 
c  £  C.  Let  A°(C')  be  the  set  of  closed  A-terms  with  con¬ 
stants  from  C.  The  interpretation  of  terms  in  A‘’(C)  with 
elements  of  C  can  be  defined  by  induction  as  follows  (for 
all  M,N  £  h°[C)  andc  G  C): 

|c|c  =  c;  |(MA)|c  =  iMiclA'Ic;  |Aa:.A//|c  =  Im, 

where  m  £  C  is  any  element  representing  the  following 
map  f  :  C  C: 

f[c)  —  \M[x  :=  c]|c,  for  all  c  £  C. 

The  drawback  of  the  previous  definition  is  that,  if  C  is  an 
arbitrary  combinatory  algebra,  it  may  happen  that  map  /  is 
not  representable.  The  axioms  of  a  subclass  of  combina¬ 
tory  algebras,  called  X-models  or  models  of  lambda  calcu¬ 
lus  (Meyer  [33],  Scott  [47],  [3,  Def.  5.2.7]),  were  expressly 
chosen  to  make  coherent  the  previous  definition  of  interpre¬ 
tation.  For  every  A-model  C,  the  set  Th{C)  =■  {M  =  N  ■. 
A/,  A^  G  A",  C  1=  M  =  N]  constitutes  a  lambda  theory. 
C  is  a  model  of  the  lambda  theory  T  if  T  =  Th{C). 

We  would  like  to  point  out  here  that  there  exists  an 
algebraic  approach  to  the  model  theory  of  lambda  calcu¬ 
lus,  alternative  to  combinatory  logic,  that  allows  to  keep 
the  lambda  notation  and  all  the  functional  intuitions  (see 
[34,  35,  36, 40,41,42]). 

2.3.  Topological  algebras 

A  topological  algebra  is  a  pair  (A,  r)  where  A  is  an  alge¬ 
bra  and  r  is  a  topology  on  the  underlying  set  .4  with  the 
property  that  each  basic  operation  of  A  is  continuous  with 
respect  to  r.  (We  will  occasionally  avoid  explicit  mention 
of  r.) 

Let  h  be  the  closure  of  set  {6}.  For  any  (topological) 
space  (.4,  r)  a  preorder  can  be  defined  by 

a  <r  b  iff  0  G  b  iffVL^  G  r{a  £  U  ^b£U). 

We  have 

T  is  To  iff  <r  is  a  partial  order. 

For  any  To-space  A  the  partial  order  <t  is  called  the  spe¬ 
cialization  order  of  r.  Note  that  any  continuous  map  be¬ 
tween  To-spaces  is  necessarily  monotone  and  that  the  or¬ 
der  is  discrete  (i.e.  satisfies  a  <t  b  iff  a  =  6)  iff  A  is  a 
7i -space. 

Let  (A,  <)  be  a  partially  ordered  set  (poset).  5  C  A  is 
an  upper  (lower)  set  if  b  £  B  and  b  <  a  {a  <  b)  imply 
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a  £  B.  We  utilize  the  notation  Bf  (^-l)  for  the  least  upper 
(lower)  set  eontaining  a  subset  B  of  .4.  We  write  nl  for 
{o}'!'  and  al  for  {a}4.. 

Given  a  poset  (/I,  <)  we  can  find  many  To-topologies  r 
on  A  for  which  <  is  the  specialization  ordering  of  t  (see 
Johnstone  [27,  Section  II.  1.8]).  The  Alexandroff  topology 
and  the  weak  topology  defined  below  arc  the  maximal  one 
and  the  minimal  one  with  this  property. 

The  Alexandroff  topology  <)  is  constituted  by  the 
collection  of  all  upper  sets  in  .4,  i.e., 

U  is  an  Alexandroff  open  iff  U  =  (' t- 

Then  o']  is  the  least  open  set  containing  a.  A  function  is 
continuous  w.r.t.  the  Alexandroff  topology  if,  and  only  if, 
it  is  monotonic.  The  closure  of  the  open  set  ot  is  (r/t)4-. 

The  weak  topology  u’{a.<)  is  constituted  by  the  smallest 
topology  for  which  all  sets  of  the  form  o|  arc  closed,  i.e. 
the  topology  based  by  sets  of  the  form  ,4  — (njiU-  ■  UnA-].)- 

Let  (/I,  <)  be  a  poset,  r  be  a  topology  on  .4.  Then  r 
is  7o  with  specialization  order  <  if,  and  only  if,  »'(..i,<)  C 

3.  The  topological  theorem 

In  this  Section  we  prove  a  general  theorem  of  separation  for 
topological  algebras.  Under  a  very  weak  condition,  called 
weak  suhtractivity,  a  topological  algebra  admits  two  ele¬ 
ments  0  and  1  which  can  be  , -separated.  We  were  in¬ 
spired  with  Benlz  [8]  and  Coleman  [14,  15|  for  the  idea  of 
this  theorem  and  for  the  techniques  used  in  its  proof.  In  the 
last  part  of  the  Section  we  characterize  the  topological  al¬ 
gebras  with  Alexandroff  topology  which  cannot  be  weakly 
subtractive. 

The  notion  of  subtractivity  in  Universal  Algebra  was  in¬ 
troduced  by  Aldo  Ursini  [54].  A  variety  (cquational  class) 
of  algebras  is  subtractive  if  there  exist  a  term  .s(.r.  //)  and  a 
constant  0  such  that  the  identities 

s(.r.  ,1')  =  0;  ,s(.r,0)=.!’ 

arc  satisfied  by  every  algebra  in  the  variety.  Term  .s  simu¬ 
lates  part  of  subtraction:  minus  .r  is  equal  to  0,  while  .r 
minus  0  is  equal  to  x. 

In  this  paper  we  introduce  a  weak  form  of  subtractivity. 

Definition  3.1  An  algebra  A  is  weakly  subtractive  if  there 
exist  a  term  s{x,  y)  and  two  constants  0  and  I  in  the  simi¬ 
larity  type  of  A  such  that 

.s(j-,.r)  =  0;  .s(L0)=:l:  I  f  0. 

Separation  axioms  in  topology  stipulate  the  degree  to 
which  distinct  points  may  be  separated  by  open  sets  or 
by  closed  neighborhoods  of  open  sets.  In  the  following 


theorem  we  prove  that  in  every  weakly  subtractive  Tq- 
topological  algebra  the  elements  0  and  1  can  be  72,/,- 
separated.  This  means  that  there  exist  two  open  neighbour¬ 
hoods  of  0  and  1  respectively  whose  closures  have  empty 
intersection. 

As  a  matter  of  notation,  if  .4  is  a  space  then  the  closure 
of  a  subset  U  of  .4  will  be  denoted  by  U .  Recall  that  a  G  U 
if  [I  n  U  0  for  every  open  neighbourhood  of  o. 

Theorem  3.1  Let  (A,  r)  he  a  weakly  subtractive  7n- 
topological  algebra.  Then  there  exist  an  open  neighbour¬ 
hood  of  ]  and  an  open  neighbourhood  W  ofO  such  that 

unir  =  0. 

Proof:  The  proof  is  divided  into  claims. 

Claim  3.1  There  exists  an  open  neighbourhood  U  of  1 
such  that  0  ^ 

Assume,  by  the  way  of  contradiction,  that  1  <r  0,  i.e., 
every  open  neighbourhood  of  1  contains  0.  Then  by  the  7!) 
hypothesis  on  r  there  exists  an  open  neighbourhood  /  of 
0  such  that  1  ^  Z.  Then  we  have  0  =  •‘>(1.1)  G  Z.  By 
continuity  in  the  second  coordinate,  there  exists  an  open 
neighbourhood  R  of  1  such  that  .s(  1 .  7?)  C  Z.  By  I  <t  0  it 
follows  that  0  G  R.  so  that  1  =  .s(  1.0)  G  Z.  Contradiction. 

Claim  3.2  There  exist  an  open  neighbourhood  I  '  of\  and 
an  open  neighbourhood  W  of[)  such  that  I'"'  DU’'  =  0. 

By  Claim  .3.1  there  exists  an  open  neighbourhood  ('  of 
I  such  that  0  ^  (’.  From  .s(l.O)  =  I  £  T  and  from 
the  continuity  of  .s  it  follows  that  there  exist  two  open 
neighbourhoods  I’'.  IF'  of  I  and  0  respectively  such  that 
.s(r'.  IF')  C  r.  If  there  is  an  element  h  £  n  IF'  then 
0  =  .s(h.  b)  £  r  that  contradicts  the  hypothesis  on  I  F  Then 
we  have  F'  n  IF'  =  0. 

We  now  provide  the  proof  of  the  theorem.  By  Claim 
3.2  there  exist  two  open  neighbourhoods  F'  and  IF'  of 
I  and  0  respectively  with  empty  intersection.  Since  .s  is 
continuous  and  .s(  1 . 0)  =  I  £  F',  there  exist  two  other 
open  sets  I'  and  IF  containing  1  and  0,  respectively,  such 
that  ,s(\‘.  IF)  C  F  '.  The  sets  \  '  and  IF  will  be  the  right 
sets  for  the  conclusion  of  the  theorem.  Since  .s  is  continu¬ 
ous  the  pre-image  of  F  '  under  the  map  .s  is  closed.  From 
.s(F'.  IF)  C  I''  C  F''  the  pre-image  of  I",  that  is  closed, 
contains  F'  x  IF,  so  ,s(F’,  IF)  C  F"'. 

We  now  prove  that  I'  fl  IF  =  0.  Assume,  by  the 
way  of  contradiction,  that  there  is  tl  £  F  Pi  IF.  Since 
.s(F',  IF)  C  \  it  follows  that  0  =  ^{d.d)  £  V .  But  by 
definition  of  closure  of  a  set  this  is  possible  only  if  for  ev¬ 
ery  open  neighbourhood  Z  of  0,  we  have  that  Z  iT  F  '  f  0. 
But  this  contradicts  our  initial  choice  of  F  '  and  IF'  as  two 
open  neighbourhoods  of  1  and  0  respectively  with  empty 
intersection.  □ 
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Connectedness  axioms  in  topology  examine  the  struc¬ 
ture  of  topological  spaces  in  an  orthogonal  way  with  re¬ 
spect  to  separation  axioms.  They  deny  the  existence  of  cer¬ 
tain  subsets  of  a  topological  space  with  properties  of  sep¬ 
aration.  For  example,  a  space  with  no  disjoint  open  sets 
is  called  hyperconnected,  while  a  space  with  no  disjoint 
closed  sets  is  called  ultraconnected  (see  Steen-Seebach  [5 1 , 
Section  4]). 

Definition  3.2  We  say  that  a  space  is  closed-open- 
connected,  co-connected  for  short,  if  it  has  no  disjoint  clo¬ 
sures  of  open  sets.  In  other  words,  if,  for  all  open  sets  U 
and  V,  we  have  that  V  C\U  ^0. 

We  have  the  following  implications: 

hyperconnectedness  =>  co-connectedness  =>  connectedness 

and 

ultraconnectedness  =>  co-connectedness  =>  connectedness. 

Then  co-connectedness  is  a  sort  of  meeting  point  between 
ultraconnectedness  and  hyperconnectedness. 

The  following  result  is  an  easy  consequence  of 
Thm.  3.1. 

Corollary  3.1  There  exists  no  weakly  subtractive  Tq- 
topological  algebra  (A,r)  whose  topology  r  is  co¬ 
connected. 

We  say  that  a  poset  (A,<)  is  co-connected  if  the 
Alexandroff  topology  >s  co-connected.  This  is 

equivalent  to  say  that,  for  all  a,h  E  A,  (af)!  fl  (6t)i 
0.  The  following  posets  are  co-connected:  join  semilat¬ 
tices,  meet  semilattices,  complete  partial  orderings,  lat¬ 
tices,  posets  with  a  least  element,  posets  with  a  greatest 
element. 

By  definition  a  topology  ti  is  weaker  than  a  topology 
if  Ti  C  T2. 

Lemma  3.1  If  the  topology  ti  is  weaker  than  a  co¬ 
connected  topology  T2,  then  rj  is  also  co-connected. 

Proof:  The  closure  of  a  set  grows  up  if  there  are  less 
open  (and  closed)  sets.  □ 

Theorem  3.2  There  exists  no  weakly  subtractive  Tq- 
topological  algebra  whose  specialization  order  is  co¬ 
connected. 

Proof:  Let  (A,r)  be  a  weakly  subtractive  Tq- 

topological  algebra  whose  specialization  order  <  is  co¬ 
connected.  By  Thm.  3.1  there  exist  an  open  neighbour¬ 
hood  K  of  1  and  an  open  neighbourhood  VF  of  0  such  that 


n  kF  =  0.  Then  the  topology  t  is  not  co-connected. 
The  Alexandroff  topology  fA,<)  >s  the  maximal  topol¬ 
ogy  Ti  with  the  property  that  <  is  the  specialization  or¬ 
dering  of  Ti  (see  Johnstone  [27,  Section  II.  1.8]).  Then  r  is 
weaker  than  the  Alexandroff  topology  <).  By  hypothe¬ 
sis  the  Alexandroff  topology  is  co-connected.  By  applying 
Lemma  3.1  we  get  that  r  is  also  co-connected.  This  is  a 
contradiction.  □ 

4.  The  incompleteness  theorem 

A  class  C  of  models  of  lambda  calculus  represents  a 
lambda  theory  T  if  there  is  a  model  in  C  whose  theory  is 
exactly  T.  A  class  of  models  is  incomplete  if  it  does  not 
represent  all  the  lambda  theories. 

We  now  define  a  class  of  semisensible  distinct 
lambda  theories  satisfying  the  following  condition:  if  C  is 
model  of  a  lambda  theory  in  the  class,  then  C  is  a  weakly 
subtractive  combinatory  algebra. 

Consider  the  (consistent  and)  semisensible  lambda  the¬ 
ory  A  axiomatized  by 

fixx  =  fi;  QQ3Q  =  Q3, 

where  Q  =  {Xx.xx)(Xx.xx),  fis  =  (Xx.xxx){Xx.xxx). 

In  the  next  theorem,  the  technically  hardest  part  of  the 
work,  we  prove  that  the  lambda  theory  A  does  not  equate 
Q  and  Q3.  This  result  implies  that  the  term  model  of  A  is  a 
weakly  subtractive  combinatory  algebra. 

Theorem  4.1 

A  l/Q  =  fis- 

Proof:  We  provide  an  outline  of  the  proof.  Define 

^3  =  (Dfisfi)’  =  fis-  (1) 

The  definition  of  a  context,  i.e.,  a  lambda  term  with  some 
holes  in  it,  can  be  found  in  [3,  Def.  2.1.18].  Let  E  be 
the  least  lambda  theory  satisfying  the  following  condi¬ 
tions  for  every  context  C'[  ],  A-term  N,  and  element  d  E 

(i)  S  F  Qxx  =  ri; 

(ii)  S  h  U{C[d])N  =  implies  E  h  Q(C[c/*])7V  =  D; 

(iii)  E  F  fIA'(C'[t/])  =  Q  implies  E  F  fi7V(C'[(i*])  t=  fi. 

S  exists  because  the  set  of  lambda  theories  satisfying  the 
three  above  conditions  is  closed  under  arbitrary  intersection 
and  it  is  not  empty  (the  lambda  theory  H  equating  all  the 
unsolvable  satisfies  (i)-(iii)). 

E  satisfies  the  following  condition  for  all  A-terms  M,  N: 

EFM  =  A  =»  EF  QMN  =  Q.  (2) 
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From  1]  h  M  =  N  and  H  F  QN N  =  it  follows  that 
S  h  flMN  =  QNN  =  Q. 

Let  — be  the  following  reduction  rule: 

nA4N  n  (3) 

for  every  M  and  N  such  that  E  h  QMN  =  Q.  The  re¬ 
flexive  closure  of  — satisfies  the  diamond  property,  and 
the  relations  and  commute.  Then  the  reduction 
rule  — =  -^0  u  — is  Church-Rosser  by  the  Hindley- 
Rosen  Lemma  (see  Berarducci-Intrigila  [9,  Thm.  3.4]  and 
Barendregt  [3,  Prop.  3.3.5]). 

Then  we  prove  that  S  is  the  lambda  theory  generated  by 
conversion  from  i.e., 

EFM  =  7Viffj)/=^v  ,V.  (4) 

The  proof  of  (4)  is  obtained  as  follows.  Since  ClM N 
iff  E  F  QM N  =  fi,  then  it  is  obvious  that  M  N 
implies  E  F  jU  =  N .  For  the  opposite  direction,  we  utilize 
conditions  (ii)-(iii)  in  the  definition  of  S  to  prove  that,  for 
every  d  £  and  every  A-tcrm  P, 

Pd  n  =>  Pd'  (5) 

Then  we  use  (5)  to  show  that  the  conversion  relation  =0-^ 
satisfies  conditions  (i)-(iii)  utilized  in  the  definition  of  E. 
Since  E  is  the  least  lambda  theory  satisfying  conditions  (i)- 
(iii)  we  have  the  conclusion. 

From  (4)  it  follows  that 

E  ^  Q  =  (2.,  (6) 

since  il  and  il.i  do  not  have  a  common  reduct  w.r.t.  — >,^v. 
The  next  step  in  the  proof  is  to  show  that 

E  +  nOaO  =  O.T  1/  =  fi.-s.  (7) 

This  result  gives  the  conclusion  of  the  theorem,  i.e.,  A  1/ 
r2  =  fi.j,  since  the  axioms  defining  the  lambda  theory  A 
are  contained  in  E  +  Dfiafi  =  fta.  In  other  words,  A  is  in¬ 
cluded  into  the  lambda  theory  generated  by  E  -f  flQ.-sQ  = 
0.3.  The  proof  of  (7)  is  obtained  as  follows.  Assume,  by 
the  way  of  contradiction,  that  E  -f  =  f>3  F  F2  =  ^3. 

We  apply  the  following  version  of  Jacopini  Lemma  (see  Ja- 
copini  [26]  and  Kuper  [31]).  There  exist  closed  A-terms 
Pi, . . . ,  Pn,  f  1 , . . . ,  f „  (n  >  0)  such  that  the  following 
conditions  are  satisfied  (recall  the  definition  of  operator  “ 
from  ( 1 )  above): 

(i)  e,'  £  {Q3, 57^317}  for  every  i  =  1 , . . . ,  ?r, 

(ii)  S  F  f7  =  Pid; 

(iii)  E  F  P,.r'.  =  Pr+ie,-+i  for  r  =  1, -  1; 

(iv)  E  F  P„c:  =  ns. 


From  (4),  (5)  and  (i)-(iv)  above  it  follows  that 

T,\-Pre*—n,  for  every  r  =  1, ...,  n, 
so  that  from  (iv)  it  follows  that 

E  F  f7  =  fis 

that  contradicts  (6).  □ 

The  following  theorem  by  Visser  as  formulated  in  [3, 
Thm.  1 7. 1 . 1 0]  will  be  used  in  Thm.  4.3  below. 

Theorem  4.2  (Visser  [55])  LefT  C  T' be  recursively  enu¬ 
merable  lambda  theories  such  that  T'  F  M  =  and 
T  M  =  N.  Then  there  exists  a  lambda  theory  S  such 
that 

TCSC  T'  andSif  M  =  N. 

Theorem  4.3  Let  K  he  the  set  of  real  numbers.  There  exists 
a  family  S  =  (t^r  :  r  £  W.)  of  semisensible  distinct  lambda 
theories  such  that  A  C  and  Sr  f  n  =  ns  for  all  r  £  E. 

Proof:  Let  FI  be  the  consistent  lambda  theory  axioma- 
tized  by  £7j  x  =  Q  and  Q  =  ^3.  Then  A  C  IT  because 

n  F  fiQsF)  =  nnn  =  n  =  ns  and  a  1/  f7  =  Qs. 

By  Thm.  4.2  there  exists  a  third  lambda  theory  S  such  that 
A  C  5  C  n  and  5  1/  fi  =  fis-  Using  Thm.  4.2  one 
can  embed  the  rationals  into  the  recursively  enumerable 
lambda  theories  included  between  A  and  IF  (see  [3,  Corol¬ 
lary  17.1.1 1]),  i.e.,  construct  a  family  {5,-}r6iQ)  such  that 

r  <  r'  -)■  C  5,-  (8) 

holds  for  r,  r'  £  Oc  Now  define  for  a  real  number  r  £  E 
<5,-  =  U{N,;  :  (j  <  r  and  7  £  C  }.  This  clearly  satisfies  (8) 
forr.  r'£F;.  □ 

Theorem  4.4  Let  T  be  any  lambda  theory’  such  that  A  C 
T  and  T  1/  57  =  573.  Then  every  model  ofT  is  a  weakly 
subtractive  combinatory  algebra. 

Proof:  Let  C  be  a  model  of  T.  The  interpretation  of 
a  closed  A-tcrm  M  is  the  clement  |A/|c  of  C  (see  Sec¬ 
tion  2.2).  For  the  sake  of  simplicity,  we  write  directly 
M  for  |.'U|c  when  there  is  no  danger  of  confusion.  We 
have  to  define  a  binary  term  s[x,y)  and  two  constants 
0,  1  satisfying  the  conditions  of  Def.  3.1.  Define  0  =  57, 

I  =  573  and  s{i\y)  =  n.ry.  Since  T  F  57.!:a,’  =  57  and 
T  F  575)357  =  5)3,  then  we  have  that  C  |=  57573  57  =  57,3 
and  C  1=  \.r.n.rx  =  A.?-. 57.  This  last  identity  implies 
57rc  =  (A.r.57zi-)c  =  (A.c.57)f  =  57  for  all  c  £  C.  So, 
C  is  weakly  subtractive  if  57  and  5)3  denote  different  ele¬ 
ments  of  C.  This  is  true  because  T  1/  57  =  5)3  and  then 
every  model  of  T  distinguishes  57  and  57,3.  FI 

A  topological  model  of  lambda  calculus  is  any  topolog¬ 
ical  algebra  (C,  r)  such  that  C  is  a  A-modcl. 
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Corollary  4.1  Let  T  be  any  lambda  theory  such  that  A  C 
T  and  T  1/  =  ^3.  If  {C,  r)  is  a  To-topological  model 

ofT,  then  both  r  and  the  specialization  order  of  t  are  not 
co-connected. 

Proof:  By  Thm.  4.4,  Cor.  3.1  and  Thm.  3.2.  □ 

A  To-topological  model  (C,  r)  is  called  a  partially  or¬ 
dered  A-model,  a po-model  for  short,  if  r  is  the  Alexandroff 
topology  defined  in  Section  2.3.  In  such  a  case,  the  appli¬ 
cation  operator  is  monotone  w.r.t.  the  specialization  order 
of  T. 

Theorem  4.5  Let  T  be  any  lambda  theory  such  that  A  C 
T  and  T  1/  =  fla.  Then  T  cannot  be  the  theory  of  a 

po-model  whose  specialization  order  is  co-connected. 

Proof:  A  partial  order  is  co-connected  if,  and  only  if,  the 
corresponding  Alexandroff  topology  is  co-connected.  Then 
the  conclusion  follows  from  the  definition  of  po-model  and 
from  Cor.  4.1.  □ 

The  models  of  lambda  calculus  are  classified  into  se¬ 
mantics  according  to  the  nature  of  their  representable  func¬ 
tions.  A  semantics  is  usually  constituted  by  a  class  of  suit¬ 
able  po-models.  This  last  condition  is  justified  by  Scott’s 
view  of  models  as  sets  of  sets  of  observations  (or  informa¬ 
tions)  and  of  computable  functions  as  monotone  functions 
over  such  sets  (see  [47]), 

Scott’s  continuous  semantics  [45]  is  the  class  of  po- 
models  whose  specialization  order  is  a  complete  partial  or¬ 
dering  and  the  representable  functions  are  all  the  continu¬ 
ous  ones  w.r.t.  the  Scott  topology.  The  graph  model  se¬ 
mantics  (see  [46],  [19],  [37],  [38],  [10,  Section  5.5])  is  a 
subclass  of  the  K-semantics  isolated  by  Krivine  (see  [30], 
[10,  Section  5.6.2])  within  the  continuous  semantics.  The 
filter  model  semantics  was  defined  by  Coppo,  Dezani,  Hon- 
sell  and  Longo  in  [16]  (see  also  [4])  within  the  continuous 
semantics. 

The  stable  semantics  introduced  by  Berry  [11]  is  the 
class  of  po-models  whose  specialization  order  is  a  DI- 
domain  and  the  representable  functions  are  all  the  stable 
ones. 

The  strongly  stable  semantics  introduced  by  Bucciarelly 
and  Ehrhard  in  [12]  is  the  class  of  po-models  whose  spe¬ 
cialization  order  is  a  Dl-domain  with  coherence  and  the 
representable  functions  are  all  the  strongly  stable  ones.  The 
hypercoherence  semantics  introduced  by  Ehrhard  [18]  is  a 
subclass  of  the  strongly  stable  semantics. 

Stability  and  strong  stability  constitute  restrictions  of 
continuity  to  capture  the  notion  of  sequentiality. 

The  first  incompleteness  result  was  given  by  Honsell 
and  Ronchi  della  Rocca  [25]  for  the  continuous  semantics. 
They  proved  that  the  contextual  lambda  theory  induced  by 


the  set  of  essentially  closed  terms  does  not  admit  a  continu¬ 
ous  model.  Following  a  similar  method,  Gouy  [21]  proved 
the  incompleteness  of  the  stable  semantics.  Other  more  se¬ 
mantic  proofs  of  incompleteness  for  the  continuous  and  sta¬ 
ble  semantics  can  be  found  in  [7].  Bastonero  [6]  provides 
an  incompleteness  result  for  the  hypercoherence  semantics. 

Bastonero  [6,  Section  6],  Bastonero-Gouy  [7,  Section  7] 
and  Berline  [10,  Section  6.1]  conjecture  that  the  strongly 
stable  semantics  is  also  incomplete.  We  give  a  positive  an¬ 
swer  to  this  open  question  in  the  following  theorem.  We  es¬ 
sentially  prove  that  any  semantics  of  lambda  calculus  based 
on  the  concept  of  approximation  of  the  information  is  in¬ 
complete  because  of  Thm.  4.6(xii)  below. 

Theorem  4.6  (The  Incompleteness  Theorem)  The  follow¬ 
ing  semantics  of  the  lambda  calculus  are  incomplete.  More 
precisely,  there  exist  semisensible  lambda  theories 
which  cannot  have  a  model  in  the  following  semantics. 

( i)  The  graph  model  semantics. 

(ii)  The  K-semantics. 

(Hi)  The  filter  model  semantics. 

(iv)  The  continuous  semantics. 

( v)  The  stable  semantics. 

(vi)  The  hypercoherence  semantics. 

( vii)  The  strongly  stable  semantics. 

( viii)  The  po-models  with  a  structure  of  complete  partial  or¬ 
dering. 

(ix)  The  po-models  with  a  structure  of  meet  semilattice. 

(x)  The  po-models  with  a  structure  of  join  seniilattice. 

(xi)  The  po-models  with  a  structure  of  lattice. 

(xii)  The  po-models  with  a  bottom  element. 

(xiii)  The  po-models  with  a  top  element. 

Proof:  All  the  above  semantics  are  given  in  terms  of 
po-models  whose  specialization  order  is  co-connected.  The 
conclusion  follows  from  Thm.  4.5  and  from  Thm.  4.3.  □ 

Recently  we  have  found  a  simpler  proof  of  the  incom¬ 
pleteness  theorem  based  on  a  more  general  topological  the¬ 
orem  and  on  the  lambda  theory  axiomatized  by  the  unique 
identity  Llxx  —  fi.  This  new  proof  can  be  found  in  the 
Appendix. 
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5.  Conclusions 

We  have  introduced  a  new  technique  to  prove  the  incom¬ 
pleteness  of  a  wide  range  of  lambda  calculus  semantics  (in¬ 
cluding  the  strongly  stable  one,  whose  incompleteness  had 
been  conjectured).  Roughly,  the  technique  used  for  proving 
that  a  class  C  of  models  is  incomplete  is  the  following: 

1 .  Find  a  (topological)  property  P  verified  by  all  models 
inC. 

2.  Find  a  lambda  theory  whose  models  do  not  verify  P. 

To  begin  with,  we  remark  that  the  models  of  lambda  cal¬ 
culus  based  on  domains  (continuous,  stable,  strongly  sta¬ 
ble  models  in  particular)  are  topological  combinatory  alge¬ 
bras  w.r.t.  the  Alexandroff  topology  (the  strongest  topology 
whose  specialization  order  is  the  order  of  the  considered 
domain),  and  that  they  are  co-conneeted  (i.e.  that  the  clo¬ 
sures  of  two  open  sets  eannot  be  disjoint). 

Then  we  define  a  elass  of  topological  algebras  which  arc 
not  co-conncctcd,  the  weakly  subtractive  topological  alge¬ 
bras. 

What  has  to  be  shown  next  is  that  there  exist  lambda 
theories  which  admit  only  weakly  subtractive  combinatory 
algebras  as  models.  We  define  a  theory  A  and  prove  that 
all  its  models  arc  weakly  subtractive,  then  by  standard  tech¬ 
niques  we  get,  starling  from  A.  a  continuum  of  lambda  the¬ 
ories  with  this  same  property. 

We  arc  working  to  get  a  generalization  of  our  incom¬ 
pleteness  theorem.  The  open  sets  of  the  Alexandroff  topol¬ 
ogy  arc  closed  under  arbitrary  intersection.  This  implies 
that,  for  every  subset  I'  ofaposet  (.1,  <),  there  exist  alcast 
open  set  I  a  least  closed  set  l  ’|  and  a  least  elopen  (open 
and  closed)  set,  all  of  them  including  W  The  minimal 
clopcn  sets  constitute  the  partition  of  the  space  in  connected 
components.  It  is  possible  to  prove  that  every  weakly  sub¬ 
tractive  7o-topological  algebra  with  the  Alexandroff  topol¬ 
ogy  admits  a  clopcn  set  P  such  that  0  £  T  and  1  ^  P . 
This  result  implies  the  incompleteness  of  every  semantics 
of  lambda  calculus  given  in  terms  of  po-modcis  who.se 
Alexandroff  topology  is  connected  (recall  that  a  space  is 
connected  if  there  exists  no  proper  clopcn  set).  We  conjec¬ 
ture  that  the  semantics  of  lambda  calculus  given  in  terms  of 
po-modcls  whose  Alexandroff  topology  has  a  finite  number 
of  connected  components  is  also  incomplete. 

Another  interesting  problem  is  related  to  the  consistency 
of  the  lambda  theory  i?>  axiomatiz.cd  by 

Q.r,r  =  Q;  QxQ  =  x. 

We  conjecture  that  5  is  consistent.  A  po-modcl  for  Js  is 
a  subtractive  combinatory  algebra  (sec  [54]),  where  is 
not  comparable  with  any  other  clement  in  the  model  (i.e. 
o  <  or  <  a  imply  a  =  fi). 


A  partial  order  is  trivial  if  it  satisfies  a  <  b  iff  a  =  6. 
The  problem  of  the  incompleteness  of  the  semantics  of 
lambda  calculus  is  also  related  to  the  open  problem  of  the 
order-incompleteness  of  the  lambda  theories:  docs  it  exist 
a  lambda  theory  which  cannot  arise  as  the  theory  of  any 
non-trivially  partially  ordered  model?  Sclingcr  [50]  gave 
a  syntactical  characterization,  in  terms  of  so-called  gener¬ 
alized  Mal’cev  operators,  of  the  order-incomplete  lambda 
theories.  The  problem  of  the  ordcr-incomplctcncss  can  be 
stated  as  follows:  docs  it  exist  a  sequence  M\, . . . ,  M,,  of 
closed  A-terms  such  that  the  lambda  theory  %.  axioma- 
tized  by 

X  =  Mixyin  A/, .(■,!■(/  =  A/, +  ].;•?/!/;  A/„.r.ci/  =  ij  (/  <  n), 

is  consistent?  Plotkin  and  Simpson  (sec  [49])  have  shown 
that  T\  is  inconsistent,  while  Plotkin  and  Sclingcr  (sec 
[49])  obtained  the  same  result  for  T->.  It  is  an  open  prob¬ 
lem  whether  T,,  (n  >  3)  can  be  consistent.  Order- 
incompleteness  is  also  related  to  Plotkin’s  conjecture  (sec 
[39,  49,  50])  about  the  existence  of  absolutely  unordcrabic 
combinatory  algebras,  where  a  combinatory  algebra  is  ab¬ 
solutely  unorderable  if  it  cannot  be  embedded  in  any  order- 
able  combinatory  algebra. 
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Appendix 

We  generalize  the  topological  theorem  of  Section  3  and 
provide  a  simpler  proof  of  the  incompleteness  theorem 
based  on  the  lambda  theory  II  axiomatized  by  the  unique 
identity  Qxx  =  V.. 

Definition  5.1  An  alt^chm  A  is  .Pweakly  subtractive  if 
there  exist  a  term  s{x.  (/)  and  two  constants  0.  I  in  the  sim¬ 
ilarity  type  of  A  such  that 

.s(.r..r)  =  0:  1  0:  .s(1.0)y^():  .s(.s(  1 , 0),  0)  0. 

Definition  5.2  A  3-wcakly  subtractive  algebra  A  is  4- 
weakly  subtractive  if 

.s(.s(.s(l.0).0).())y^0. 

Every  weakly  subtractive  algebra  is  both  a  3-wcakly  and 
a  4-wcakly  subtractive  algebra. 

Theorem  5.1  Let  (A.r)  be  a  3-weakly  subtractive  1])- 
topological  algebra.  Then  there  exist  an  open  neighbour¬ 
hood  \  '  of  \  and  an  open  neighbourhood  U'  ofi)  such  that 
i’nir  =  0. 
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Proof:  The  proof  is  divided  into  claims.  Let 
c  =  s(l,  0);  d  =  s(c,  0). 

Claim  5.1  There  exists  an  open  neighbourhood  R  ofc  such 
that  0  ^  R. 

By  the  To  hypothesis  on  r  the  elements  0  and  d  are  To- 
separated.  We  analyse  two  cases. 

(1)  There  exists  a  neighbourhood  Z  of  0  with  d  ^  Z. 
Then 

0  =  s(c,  c)  G  Z. 

By  continuity  in  the  second  coordinate,  there  exists  an  open 
neighbourhood  R.  of  c  such  that  s(c,  T)  C  Z.  If  0  G  then 
d  =  s(c,  0)  G  Z  that  contradicts  our  hypothesis  on  Z.  Then 
we  have  an  open  neighbourhood  Rof  c  such  that  0  ^ 

(2)  There  exists  a  neighbourhood  Z  of  d  with  0  ^  Z. 
Then 

d=  s(c,0)  G  Z. 

By  continuity  in  the  first  coordinate,  there  exists  an  open 
neighbourhood  of  c  such  that  s(/f  ,  0)  C  Z.  If  0  G  T 
then  0  =  s'(0,0)  G  Z  that  contradicts  our  hypothesis  on 
Z.  Then  we  have  an  open  neighbourhood  /?  of  c  such  that 
O^R. 

Claim  5.2  There  exist  an  open  neighbourhood  V'  of  I  and 
an  open  neighbourhood  IT  o/O  such  that  1 '  fi  IT  =  0. 

By  Claim  5.1  there  exists  an  open  neighbourhood  R  of  c 
such  that  0  ^  /?.  From  .s(  1 . 0)  =  c  G  /?  and  from  the  con¬ 
tinuity  of  s  it  follows  that  there  exist  two  open  neighbour¬ 
hoods  V'.  IT  of  1  and  0  respectively  such  that  .s(\'.  IT)  C  R. 
If  there  is  an  element  h  G  T  n  IT  then  0  =  s[h.  h)  G  R  that 
contradicts  the  hypothesis  on  R.  Then  we  have  TfllT  =  0. 

□ 

Theorem  5.2  Let  (A.  r)  be  a  4-weakly  subtractive  Tq- 
topological  algebra.  Then  there  exist  an  open  neighbour¬ 
hood  T  ofl  and  an  open  neighbourhood  IT  f>/0  such  that 

T  n  IT  =  0. 

Proof:  Let 

c=.s(l,0);  f/=s(c,0);  e  =  s{d,0). 

A  is  3-weakly  subtractive  in  two  different  ways.  It  is  obvi¬ 
ous  that  the  constant  1  satisfies  the  conditions  of  Def.  5.1. 
But  the  constant  c  also  satisfies  the  conditions  of  Def.  5.1 : 

c^O;  .s(c,0)yI0;  .s(.s(c,0),0)  0. 

Then  we  can  apply  Thm.  5.1  to  c  to  get  an  open  neighbour¬ 
hood  V  of  c  and  an  open  neighbourhood  IT'  of  0  such  that 
V  n  IT'  =  0. 


Since  s  is  continuous  and  s(l,  0)  =  c  G  V ,  there  exist 
two  other  open  sets  L  and  W  containing  1  and  0,  respec¬ 
tively,  such  that  s(L,  VT)  C  V .  The  sets  V  and  W  will  be 
the  right  sets  for  the  conclusion  of  the  theorem.  Since  s  is 
continuous  the  pre-image  of  V  under  the  map  s  is  closed. 
From  s(T,  W)  C  T'  C  V  the  pre-image  of  T',  that  is 
closed,  contains  V  x  IT,  so  s(T,  IT)  C  T'. 

We  now  prove  that  V  H  W  =  0.  Assume,  by  the 
way  of  contradiction,  that  there  is  /  G  T  fl  W.  Since 
s{V ,W)  C  V  it  follows  that  0  *(/,/)  £  T'.  But 

by  definition  of  closure  of  a  set  this  is  possible  only  if  for 
every  open  neighbourhood  Z  of  0,  we  have  that  Zf\V'  0. 
But  this  contradicts  our  initial  choice  of  V  and  IT'  as  two 
open  neighbourhoods  of  c  and  0  respectively  with  empty 
intersection.  □ 

Consider  the  semisensible  lambda  theory  n  axiomatized 
by 

Lixx  —  n. 

Define 

lo  =  ^3’,  /n  +  1  =  )I2. 

Theorem  5.3  V^e  have: 

n  1/  /  „  =  Q  for  all  n. 

Proof:  Let  — be  the  following  reduction  rule: 

QMN  ->n  fi  (9) 

for  every  M  and  N  such  that  IT  h  M  =  N .  The  re¬ 
flexive  closure  of  ->n  satisfies  the  diamond  property,  and 
the  relations  and  -— n  commute.  Then  the  reduction 
rule  =  — >/3  U  — >n  is  Church-Rosser  by  the  Hindley- 
Rosen  Lemma  (see  Berarducci-Intrigila  [9,  Thm.  3.4]  and 
Barendregt  [3,  Prop.  3.3.5]). 

Then  we  prove  that  11  is  the  lambda  theory  generated  by 
conversion  =^30  from  — i.e., 

n  h  M  =  vV  iff  3/ S,3n  M  (10) 

Since  LIMN  — >n  fi  iff  II  F  M  =  N,  then  it  is  obvious 
that  M  =^n  ^  implies  Yl  M  =  N .  For  the  opposite 
direction,  it  is  sufficient  to  consider  that  Llxx  — j-n  fi  for 
the  unique  axiom  Llxx  =  D  of  11. 

We  now  prove  by  induction  that  fl  1/  („  =  fi.  First  we 
have  that  11  1/  /  q  =  fi  because  Iq  =  fia  and  fi  do  not  have  a 
common  /ill-reduct.  By  the  way  of  contradiction,  assume 
n  F  +  i  =  fi,  so  that  („+i  =  fi(Li)fi  — /3n  fi-  Then 
there  exists  a  reduction  fi(<n  )fi^;3nfi-  This  is  possible 
only  if  fi(/,j)fi  is  a  Il-redex  i.e.  if  n  F  =  fi.  But  this 
contradicts  the  induction  hypothesis.  □ 

Theorem  5.4  Every  model  of  the  lambda  theory  fl  is  a  4- 
weakly  subtractive  combinatory  algebra. 
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Proof:  Let  C  be  a  model  of  fl.  We  have  to  define  a 
binary  term  s[x,  y)  and  two  constants  0,  1  satisfying  the 
conditions  of  Dcf.  5.2.  Define  0  =  D,  1  s  D3  and 
s{x,y)  =  Dj'//.  The  proof  of  the  theorem  is  now  similar 
to  that  of  Thm.  4.4  and  it  is  omitted.  □ 

Theorem  5.5  The  lambda  theory  H  cannot  he  the  theory 
of  a  po-model  whose  Alexandroff  topology  is  co-connected. 

Proof:  It  follows  from  Thm.  5.4  and  from  Thm.  5.2.  O 


Corollary  5.1  The  lambda  theory  fl,  axiornatized  h\ 

Q.XX  =  cannot  have  a  model  in  the  semantics  specified 
in  Thm.  4.6. 
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Abstract 

As  already  known  [14],  the  nni-calculus  [17]  is  as  ex¬ 
pressive  as  the  bisimulation  invariant  fragment  of  monadic 
second  order  Logic  (MSO).  In  this  paper,  we  relate  the  ex¬ 
pressiveness  of  levels  of  the  fixpoint  alternation  depth  hier¬ 
archy  of  the  mu-calculus  (the  mu-calculus  hierarchy)  with 
the  expressiveness  of  the  bisimulation  invariant  fragment  of 
levels  of  the  monadic  quantifiers  alternation-depth  hierar¬ 
chy  (the  monadic  hierarchy). 

From  van  Benthem  's  result  [3  J,  we  know  already  that  the 
fixpoint  free  fragment  of  the  mu-calculus  (i.e.  polymodal 
Logic)  is  as  expressive  as  the  bisimulation  invariant  frag¬ 
ment  of  monadic  Sq  (i.e.  first  order  logic).  We  show  here 
that  the  v-level  (resp.  the  up-level)  of  the  mu-calculus  hi¬ 
erarchy  is  as  expressive  as  the  bisinuilation  invariant  frag¬ 
ment  of  monadic  Si  (resp.  monadic  E-y)  and  we  show  that 
no  other  level  Sj.  for  k  >  2  of  the  monadic  hierarchy  can 
be  related  similarly  with  any  other  level  of  the  mu-calculus 
hierarchy. 

The  possible  inclusion  of  all  the  mu-calculus  in  some 
level  Sj,.  of  the  monadic  hierarchy,  for  some  k  >  2,  is  also 
discussed. 


1  Introduction 

The  propositional  modal  fixpoint  calculus  (or  mu- 
calculus  for  short)  introduced  by  Kozen  [17]  is  considered 
in  this  paper.  The  mu-calculus  was  initially  introduced  as  a 
specification  formalism  for  processes  modeled  as  states  in 
transition  systems. 

However,  using  the  mu-calculus  as  a  logic  of  processes 
has  a  major  drawback  :  the  model-checking  problem,  which 
is  to  decide  if  a  (finite)  model  (given  as  input)  satisfies  a 
formula  (also  given  as  input),  remains  somehow  difficult. 
More  precisely,  the  best  model  checking  algorithms  known 


so  far  -  see  [16]  for  the  lastest  development  -  have  (time) 
complexity  where  m  is  the  size  of  the  in¬ 

put  graph,  n  is  the  size  of  the  formula  and  d  is  the  fixpoint 
alternation-depth  of  the  formula  which  depends  on  the  in¬ 
put  formula.  Moreover  the  restriction  to  mu-calculus  for¬ 
mulas  with  a  bounded  fixpoint  alternation-depth  is  (theo¬ 
retically)  not  an  issue  because  it  also  strictly  reduces  the 
expressive  power  of  the  logic.  Indeed,  Bradfield  [4]  and, 
in  some  weaker  sense,  Lenzi  [18],  prove  that  the  hierarchy 
induced  by  the  fixpoint  alternation-depth  (the  mu-calculus 
hierarchy)  is  strict. 

In  practice,  temporal  logics  [6],  which  all  belong  to  low 
levels  of  the  alternation  depth  hierarchy,  are  often  preferred 
to  the  full  mu-calculus  since  in  that  case  the  model  check¬ 
ing  problem  has  a  low  degree  polynomial  (even  linear)  time 
complexity. 

It  is  also  known  that  the  model-checking  problem  be¬ 
longs  to  NPCico-NP  [15].  From  Fagin’s  famous  corre¬ 
spondence  between  the  class  NP  and  the  existential  frag¬ 
ment  of  second  order  logic  [7],  this  upper  bound  tells  us 
that  all  mu-calculus  formulas  belongs  to  the  level  Si  n  Hi 
of  the  second  order  quantifier  alternation  hierarchy. 

Since  all  mu-calculus  formulas  can  be  translated  into 
monadic  second  order  logic  (MSO)  one  may  ask  whether 
similar  descriptive  complexity  results  are  available  for  the 
monadic  quantifier  alternation  hierarchy  (the  monadic  hier¬ 
archy)  which  is  known  to  be  strict  (even  over  finite  models 
as  shown  by  Matz  and  Thomas  [20]).  More  precisely,  since 
the  mu-calculus  is  as  expressive  as  (or  equivalent  to)  the 
bisimulation  invariant  fragment  of  MSO  [14],  one  may  ask 
whether  the  full  mu-calculus  or  any  level  of  the  mu-calculus 
hierarchy  is  equivalent  to  the  bisimulation  invariant  frag¬ 
ment  of  some  level  of  the  monadic  hierarchy. 

Van  Benthem  [3]  already  shows  that  the  fixpoint  free 
fragment  of  the  mu-calculus  (i.e.  Polymodal  Logic  also 
called  Hennessy-Milner  logic  among  computer  scientists) 
is  equivalent  to  the  bisimulation  invariant  fragment  of 
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Levels  of  the  mu-calculus 

Levels  of  the  monadic  hierarchy 

Reference 

Mu-calculus 

Monadic  Second  Order  Logic 

Janin-Walukicwicz,  1996 

Polymodal  Logic 

FOL 

Van  Bcnthem  1976 

!z-level  of  the  mu-calculus 

monadic  Ej 

shown  here 

j//i-level  of  the  mu-calculus 

monadic  E_> 

shown  here 

Properties  (all')  of  arbitrary  levels 

monadic  E3 

shown  here 

Figure  1.  Correspondance  between  levels  of  the  mu-calculus  hierarchy  and  levels  of  the  bisimulation 
invariant  fragment  of  the  monadic  hierarchy 


monadic  Eo  (i.c.  FOL). 

Here,  we  complete  the  picture  showing  that : 

Theorem  1.1  The  u-level  (resp.  the  p-level)  of  the  niii- 
calculus  hierarchy  is  equivalent  to  the  hisimulatinn  invari¬ 
ant  fragment  of  the  level  Ei  ( resp.  Hi  j  of  the  monadic  hier¬ 
archy. 

and 

Theorem  1.2  The  u p-level  (resp.  the  pu-level)  of  the  mu- 
calculus  hierarchy  is  equivalent  to  the  bisimulation  invari¬ 
ant  fragment  of  the  level  Ej  (resp.  of  the  monadic  hier¬ 

archy. 

From  Arnold’s  proof  of  the  strictness  of  the  mu-calculus 
hierarchy  [2],  we  also  show  that : 

Theorem  1.3  For  each  integer  k  >  2  there  e.xists  a  hisimii- 
lation  invariant  formula  of  monadic  E3  that  does  not  belong 
to  the  kth  level  of  the  mu-calculus  hierarchy. 

In  other  words,  no  other  equivalence  similarly  relates  lev¬ 
els  of  the  mu-calculus  hierarchy  with  levels  of  the  monadic 
hierarchy. 

The  question  whether  the  mu-calculus  is  equivalent  to 
the  bisimulation  invariant  fragment  of  monadic  E^.,  for 
some  integer  k  >  2,  remains,  strictly  speaking,  open.  How¬ 
ever,  the  following  theorem,  which  is  a  con.scqucncc  of  the 
work  of  Courccllc  [5],  shows  that,  on  a  quite  general  class 
of  graphs  (or  the  class  of  all  graphs'),  this  is  already  true 
with  monadic  T,y. 

Theorem  1.4  Over  the  class  of  graphs  of  bounded  degree 
(or  bounded  tree-width)  all  mu-calculus  formulas  can  be 
translated  into  monadic  formulas. 

Figure  1  above  summarizes  all  these  results.  One  must 
be  aware  that,  tor  these  results,  we  are  considering  arbitrary 
finite  and  infinite  models.  Ro.sen  [28]  .shows  that  van 
Benthem’s  result  still  holds  over  finite  models  only.  All 
other  statements  mentioned  in  Figure  1  arc  open  problems 
over  finite  models. 


'  provided,  as  in  M.So  in  [.S],  quantification  over  edges  is  available  ! 


Allthough  thc.se  new  results  essentially  have  a  theoretical 
flavor  they  can  also  be  seen  as  a  general  toolkit  to  analy.se, 
from  syntax,  the  model-checking  complexity  of  logics  of 
programs.  Indeed,  most  logics  of  programs  arc  (implicitly 
defined  as)  particular  fragments  of  the  bisimulation  invari¬ 
ant  fragment  of  MSO.  The  result  above  says  that,  as  .soon 
as  these  logics  can  be  translated  into  monadic  Ai  (rc.sp. 
monadic  A2)  then  the  model  checking  complexity  is  linear 
(re.sp.  quadratic)  in  the  size  of  the  input  program. 

Related  works 

The  study  of  various  bisimulation  invariant  fragments  of 
logical  formalisms  leads  to  .some  other  results. 

Following  Hafer  and  Thomas  [lOj  logical  characteri¬ 
zation  of  CTL*  over  the  binary  tree,  Moller  and  Rabi¬ 
novich  [21]  obtain  a  similar  characterization  of  CTL’  over 
arbitrary  trees  :  CTL*  is  as  expressive  as  the  bisimulation 
invariant  iragment  of  M.SO  over  trees  with  path  quantifiers 
instead  of  general  set  quanliliers. 

With  a  more  expressive  language  than  the  mu-calculus, 
Gradel.  Hirsch  and  Otto  show  the  expressive  completeness 
of  the  guarded  lixpoint  calculus  w.r.t.  the  bisimulation  in¬ 
variant  fragment  of  guarded  second  order  logic  [9[. 

Over  finite  models,  Otto  gives  a  fixpoint  characterization 
of  bisimulation  invariant  PTIME  [25|. 

In  his  PhD  thesis  [11],  Hollcnberg  also  characterizes  the 
bisimulation  invariant  fragment  of  MSO  via  bisimulation- 
quantifiers  [8].  It  is  an  open  question  whether  his  approach 
extends  to  the  bisimulation  invariant  fragment  of  monadic 
E]  or  monadic  Eu. 

Investigating  bisimulation  invariance  inside  MSO  al.so 
leads  to  apply  works  on  MSO  over  trees.  The  pioneer¬ 
ing  works  of  Rabin  [26[[27J  on  the  monadic  second  or¬ 
der  theory  of  the  binary  tree  (S2S)  arc  obviously  relevant 
here.  Also  the  many  automata  characterization  of  various 
mu-calculi  over  trees  which  starts  in  the  early  80'.s  with  the 
results  of  Niwinski  [24]  or  Street  and  Emerson  [32]  among 
others  arc  fundamental.  In  this  paper,  we  use  one  of  the  last 
and  most  achieved  extension  of  these  techniques  and  results 
obtained  by  Walukicwicz  [33], 
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Note  however,  Theorems  1 . 1  and  1 .2  are  not  immediate 
consequences  of  these  results. 

For  the  analysis  of  bisimulation  invariance  inside 
monadic  Si,  the  restriction  to  trees  is  even  misleading 
since,  with  properties  definable  in  monadic  Si,  bisimula¬ 
tion  invariance  over  trees  is  less  restrictive  than  bisimula¬ 
tion  invariance  over  arbitrary  graphs.  Indeed,  the  monadic 
Si  formula  ^xp{x),  although  bisimulation  invariant  over 
trees,  would  mean,  as  a  bisimulation  invariant  property  over 
graphs,  that  there  is  a  directed  path  from  a  distinguished  ver¬ 
tex  (the  root  of  the  graph)  to  some  vertex  x  where  p  holds. 
This  property  is  at  least  as  difficult  to  express  as  directed 
reachability  which,  as  shown  by  Ajtai  and  Fagin  [1],  is  not 
expressible  in  monadic  Si . 

For  the  analysis  of  bisimulation  invariance  inside 
monadic  S2 ,  it  is  true  that  bisimulation  invariance  over  trees 
or  graphs  coincides.  But  then,  there  is  no  real  characteriza¬ 
tions  of  FOL  or  monadic  Si  logic  of  trees  so  no  simple  in¬ 
ductive  proof  is  available.  To  prove  Theorem  1.2,  we  shall 
extend  to  all  trees  a  new  similar  result  of  Lenzi  [19],  re¬ 
proved  by  Skurczinski  [31]  in  a  more  automata  theoretical 
way,  which  says  that,  on  the  binary  tree,  languages  defin¬ 
able  in  monadic  S2  are  exactly  the  languages  recognizable 
by  tree  automata  with  Biichi  conditions. 

Overview 

The  paper  is  organized  as  follows.  First  we  recall  the 
definition  of  bisimulation  equivalence.  Then,  in  relation 
with  it,  we  present  the  notions  of  K-expansions  which  pro¬ 
vide,  in  some  sense,  canonical  representatives  of  bisimula¬ 
tion  equivalences  classes  of  graphs. 

In  the  third  part,  we  recall  the  definitions  of  Monadic 
Second  Order  Logic  and  the  modal  and  counting  mu- 
calculus.  We  also  recall  most  of  the  known  results  relating 
these  languages. 

In  the  fourth  part,  we  give  a  definition  of  tree  automata 
which,  with  various  acceptance  criteria,  will  constitute  the 
main  technical  tools  to  prove  our  results. 

In  the  fifth  and  sixth  parts,  bisimulation  invariance  in 
monadic  Si  and  in  monadic  S2  are  analyzed.  Sketch  of 
proofs  for  Theorem  1 . 1  and  Theorem  1 .2  are  given. 

In  the  last  part,  the  case  of  levels  Sjt  for  k  >  2  is  consid¬ 
ered  and  Theorem  1 .3  and  Theorem  1 .4  are  proved. 
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2  Graphs,  Bisimulation  and  Expansion 

We  recall  here  the  notions  of  transition  systems,  bisim¬ 
ulation  equivalence  and  expansion  of  transition  systems. 
Since  a  transition  system  is  simply  a  directed  graph  with 
a  distinguished  vertex  called  its  source  or  root,  we  use  in 
the  following  the  vocabulary  of  (directed)  graphs. 

Also,  in  order  to  simplify  statements  and  proofs,  we  only 
consider  here  unlabeled  directed  graphs  (built  over  a  single 
binary  relation  symbol).  One  can  check  that  all  the  results 
presented  here  can  easily  be  generalized  to  (finitely)  labeled 
directed  graphs,  i.e.  graphs  built  over  a  finite  set  of  binary 
relation  symbols. 

Let  Prop  be  a  set  of  unary  predicate  symbols  and  let  R 
be  a  binary  relation  symbol.  A  graph  with  a  root,  simply 
called  graph  in  the  sequel,  is  a  tuple: 

with  a  set  of  vertices,  a  root  r^  6  5^^,  a  binary  suc¬ 
cessor  relation  C  x  and  for  each  p  €  Prop,  a 
subset  C  . 

Graphs  M  and  N  are  called  bisimilar  when  there  exists  a 
relation  R  C  5^  x  5^,  called  a  bisimulation  relation,  such 
that  (r^^ ,r^)  £  R  and  for  every  (s,  t)  e  R  and  p  £  Prop, 
s  €  iff  f  €  p^,  and  whenever  (s,  s')  £  R^^  for  some  s', 
then  there  exists  t'  such  that  {t,  t')  £  R^  and  (s',  t')  £  R, 
and  whenever  {t,  t')  £  R^  for  some  t',  then  there  exists  s' 
such  that  (s,s')  £  R^^  and  {s',t')  £  R. 

Given  any  set  k  (disjoint  from  S^^),  a  n-indexed  path  in 
M  is  a  non  empty  finite  or  infinite  word  w  £ 
such  that  whenever  w  =  u.s.k.s'.v  with  u  £  .k)*, 

s  £  5-^^,  k  £  K,  s'  £  5™  and  v  £  one  has 

(s,s')  £  R^ .  The  length  |  w;|  of  K-index  path  iv  is  defined 
as  the  number  of  occurrences  of  elements  of  in  w,  e.g. 
when  w  =  so-ki  .Si .  ■  •  ■  .fc„.s„  we  put  |u)|  =  n  -f  1.  In  this 
case,  we  say  Sq  is  the  source  of  w,  Sn  is  the  target  of  w  and 
tu  is  a  (K-indexed)  path  from  Sq  to  s„. 

Remark  that  (up  to  isomorphism)  the  notion  of  K-indexed 
path  only  depends  on  the  cardinality  of  k.  In  particular, 
when  /C  is  a  singleton,  /t-indexed  paths  are  nothing  but  the 
usual  (directed)  paths  in  a  graph. 

The  K-expansion  T''-{M)  of  system  M  is  defined  as  fol¬ 
lows  ;  set  is  the  set  of  all  finite  K-indexed  paths 

of  M  with  root  r''^,  the  root  equals  relation 

j^T  (M)  gj-  ^][  gj-  jj^g  {u_s,  u.s.k'.s')  £ 

gT  (M)  ^  gT  (M)  s  and  s'  £  and 

k'  £  K  such  that  (s,s')  £  R^^ ,  and,  for  any  p  £  Prop, 
pT  (M)  jj^g  ^gj^  g]l  ^.indexed  path  of  the  form  u.s  £ 
(^)  with  u  £  .k)*  and  s  £  p^^ . 

Any  K-expansion  is  a  tree.  Moreover,  when  /c  is  a  single- 
ton,  the  K-expansion  of  M,  from  now  on  denoted  by  T{M), 
is  nothing  but  what  is  usually  called  the  unwinding  or  un- 
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raveling  of  graph  M  from  its  root  .  Vertices  of  T{M) 
are  all  finite  paths  from  the  root. 

When  M  is  a  tree,  i.e.  when  M  and  T{M)  are  isomor¬ 
phic,  we  shall  use  the  notation  for  the  order  relation 
induced  by  the  tree-structure  of  M,  i.e.  relation  is  the 
reflexive  and  transitive  closure  of  relation  . 

The  notion  of  K-expansion  gives  in  some  sense  canonical 
representatives  of  equivalence  classes  under  bisimulation  as 
illustrated  by  the  following  fact. 

Fact  2.1  For  any  infinite  set  k  andfor  any  graphs  M  and  N 
of  cardinality  at  most  |k|,  M  and  N  are  bisimilar  iffT^  {M) 
and  T^{N)  are  isomorphic. 

3  First  order  and  monadic  second  order  logic 
and  the  propositional  /t-calculus 

In  this  section  we  define  first  order  logic  (FO)  and 
monadic  second  order  logic  (MSO)  and  two  variants  of 
the  propositional  /r.-calculus  [17].  All  logics  arc  inter¬ 
preted  over  transition  systems.  Note  that  a  transition  sys¬ 
tem  M,  as  defined  above,  is  a  FO-structurc  with  domain 
dnm{M)  =  on  the  vocabulary  {r,  7?}  U  Prop  with  ra 
constant  symbol  standing  for  the  root,  R  a  binary  relation 
symbol  and  Prop  a  set  of  unary  relation  symbols. 

3.1  FO  and  MSO 

Let  var  =  y,  •  •  and  Var  =  {A',  I”,  •  •  •}  be  respec¬ 
tively  some  disjoint  sets  of  first  order  and  monadic  second 
order  variable  symbols. 

First  order  logic  over  the  vocabulary  {/',  /?}  U  Prop  can 
be  defined  as  follows.  The  set  of  FO  formulas  is  the  small¬ 
est  set  containing  formulas  t.  =  t',  R{t,t'),  X{t)  for 
p  G  Prop,  X  G  Var  and  t  G  vnr  U  {/•}  and  closed  under 
negation  -i,  disjunction  V,  conjunction  A  and  existential  3 
and  universal  V  quantifications  over  FO  variables. 

Monadic  second  order  logic  over  the  vocabulary  {r.  /?}U 
Prop  can  be  defined  as  follows.  The  set  of  MSO  formulas  is 
the  smallest  set  containing  all  FO  formulas  and  closed  under 
negation  -i,  di.sjunction  V,  conjunction  A  and  existential  3 
and  universal  V  quantifications  over  set  variables. 

For  any  MSO  formula,  we  use  the  notation 
y3(;ri ,  •  ■  • ,  .x,„ ,  A"i ,  •  •  • ,  A"„)  for  the  formula  tp  with 
free  first  order  variables  among  {.X] ,  ■  •  • ,  x,„  }  and  free  .set 
variables  among  {A"i ,  ■  •  • ,  A"„  }.  For  any  graph  M,  any 
elements  .si,  ....  s,„  G  ,  any  sets  5i,  ....  5^  C  5''^, 
we  use  the  notation 

:  ■  ■  '  )  ^  S\i'  '  '  1  S„) 

to  say  that  formula  p  is  true  in  M,  or  M  satisfies  p,  under 
the  interpretation  of  each  FO  variable  x,  by  the  vertex  .s,- 


and  each  set  variable  Xj  by  the  set  Sj .  We  do  not  repeat 
here  the  definition  of  this  satisfaction  relation. 

A  class  C  of  graph  is  said  MSO  definable  when  there 
exists  a  sentence  p  G  MSO,  i.e.  a  formula  with  no  free 
variable,  such  that  M  G  C  iff  M  p.  A.  class  C  of  tran¬ 
sition  systems  is  bisimulation  closed  (resp.  closed  under 
unwinding)  if  whenever  M  £  C  and  A'P  is  bisimilar  to  M 
then  M'  G  C  (resp.  if  for  any  XI,  M  £  C  iff  T{M)  £  C). 
A  sentence  p  is  bisimulation  invariant  (resp.  unwinding  in¬ 
variant)  if  the  class  of  transition  systems  it  defines  is  bisim¬ 
ulation  closed  (resp.  closed  under  unwinding).  Remark  that 
bisimulation  invariance  implies  unwinding  invariance  since 
any  graph  M  is  bisimilar  to  its  unwinding  T{M). 

The  notion  of  bisimulation  invariance  (or  unwinding  in¬ 
variance)  extend  to  arbitrary  formula  p{Xi ,  •  •  • ,  A„)  with 
no  free  FO  variable  considering  graphs  over  the  set  of  pred¬ 
icate  symbols  Prop'  =  Prop  U  {Ai,  ■  ■  • ,  A'„}.  Since  fix- 
point  formulas,  which  we  will  consider  later,  may  have  free 
set  variables,  we  shall  implicitly  consider  this  extension  of 
graph  to  Prop'  whenever  there  is  no  ambiguity. 

Finally,  the  monadic  quantifier  alternation-depth  hierar¬ 
chy  is  defined  as  follows.  The  first  level  Eq  =  IIo  is  defined 
as  the  set  of  all  formulas  of  first  order  logic.  Then  ,  for  each 
integer  k.  level  Ej.+  i  (resp.  level  FIa  +  i)  is  defined  as  the 
set  of  all  formulas  of  the  form  3.Yi  •  •  •  3X,ip  with  p  £  Da 
(resp.  VA'i  ■■■'iXnp  with  p  £  Ea).  The  bisimulation  in¬ 
variant  (resp.  unwinding  invariant)  fragment  of  the  level  Ea- 
of  MSO  formulas  is  defined  as  the  set  of  all  bisimulation  in¬ 
variant  (resp.  unwinding  invariant)  formulas  of  Ea-  with  no 
free  first  order  variables. 

3.2  Modal  and  counting  //-calculus 

The  set  of  the  modal  //-calculus  formulas  is  the  smallest 
set  containing  Prop  U  Var  which  is  closed  under  negation, 
disjunction  and  the  following  formation  rules: 

•  if  n  is  a  formula  then  Oo  and  Da  are  formulas, 

•  if  a(.Y)  is  a  formula  and  A^  occurs  only  positively 
(i.e.  under  even  number  of  negations)  in  a{X)  then 
pX.c\{X)  and  /v.Y.a(A^)  are  formulas. 

The  set  of  counting  //-calculus  formulas  is  defined  as  above 
replacing  standard  modalities  O  and  □  by  counting  modal¬ 
ities  Oa-  and  □/■  for  any  integer  k. 

We  use  the  same  convention  as  for  MSO  with  free  set 
variables,  i.e.  we  denote  by  q(A^i  ,  •  •  • ,  A"„)  a  formula  with 
free  variables  among  {A'^i ,  ■  ■  • ,  A^„}.  For  convenience,  we 
may  also  omit  these  free  set  variables  in  formula  a  consid¬ 
ering  then  implicitly  that  graphs  have  been  built  over  the  set 
of  unary  predicate  symbols  Prop'  =  Prop  U  {  A^i ,  •  -  - ,  X„ } . 
In  the  sequel,  we  call  fixpoint  formula  any  formula  of  the 
modal  or  counting  //-calculus. 
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Atomic  formulas : 

‘Pp=Pir),  px=X{r), 

Boolean  connectives : 

^aA/3  —  ^  V^aV/?  —  V  ^  and  (p-,a  —  '~'^a 

Modalities  : 

POa  =  R{r,  Z)  A  Pa[zlr\,  Poa  =  V2  i?(r,  2)  Pa[z/r] 

Counting  modalities  : 

(po,a  =  ^Zi,-',Zk  di^Zx ,  •  •  • ,  Zfc)  A  ^ 

and  ^Of^a  Vzi ,  ■  ■  *  ,  {diff(^Zi ,  •  •  •  ,  A  ^  ['^« /^] 

Fixpoints : 

PpX.aiX)  =  '^X{yzpa{x)[z/r]  =>  X{z))  X{r) 
and  p„x.a{X)  =  3X{\/zX{r)  =»  Pa(x)[z/r])  A  X{r) 

Figure  2.  Semantics  of  fixpoint  formulas 


The  meaning  of  a  fixpoint  formula  a  in  a  transition  sys¬ 
tem  M  can  be  defined  as  an  MSO  formula  with  no  free 
first  order  variables  and  with  the  same  free  set  variables. 
The  inductive  definition  of  (pa  is  described  in  Figure  2  be¬ 
low.  In  this  figure,  diff{zi  ,■■■  ,Zk)  is  the  quantifier  free  FO 
formula  stating  that  2,  ^  Zj  for  all  i  ^  j,  a  and  P  are  ar¬ 
bitrary  formulas,  k  is  any  integer,  A"  any  second  order  vari¬ 
able,  and  z,  zi,  Zk  any  FO  variables.  Formula (pa[z/r] 
is  the  formula  obtained  from  pa  hy  replacing  any  occur¬ 
rence  of  r  by  2,  provided  FO  variable  2  has  been  chosen 
in  such  a  way  it  is  never  captured  by  a  FO  quantification 
during  this  replacement. 

Remark  that  one  can  choose  FO  variables  in  such  a  way 
that,  for  any  modal  mu-calculus  formulas  a,  formula  pa 's 
defined  using  at  most  two  FO  variables  and,  for  any  count¬ 
ing  mu-calculus  formulas  q,  pa  is  defined  using  at  most 
k  +  I  variables  where  k  is  the  greatest  integer  such  that 
modality  O^.  or  Da.  occurs  in  a. 

For  any  fixpoint  formula  a,  we  shall  write  M  |=  a  when 
M  1=  pa-  We  say  that  an  MSO  formula  p  is  equivalent  to 
a  fixpoint  formula  a  when  pa  p. 

The  following  fact  follows  from  the  above  definitions  : 

Fact  3.1  For  any  fixpoint  formula,  if  a  is  a  modal  (resp. 
counting)  mu-calculus  formula  then  Pa  is  bisimulation  in¬ 
variant  (resp.  unwinding  invariant). 

The  following  theorems  show  that  the  above  invariance 
properties  characterize  in  some  sense  the  expressive  power 
of  these  fixpoint  calculi. 

Theorem  3.2  (from  Walukiewicz  [33])  A  MSO  sentence 
is  invariant  under  unwinding  iff  it  is  equivalent  to  some 
counting  mu-calculus  formula. 

and 

Theorem  3.3  (Janin-Walukiewicz  [14])  A  MSO  sentence 
is  invariant  under  bisimulation  iff  it  is  equivalent  to  some 
modal  mu-calculus  formula. 


Finally,  the  (modal  or  counting^)  fixpoint  alternation- 
depth  hierarchy  defined  as  follows.  The  first  level  Nq  =  Mq 
is  defined  as  the  set  of  all  (modal  or  counting)  fixpoint  free 
formula  with  negation  only  applied  to  propositional  con¬ 
stants  of  Prop.  Then,  for  each  integer  k,  level  (resp. 
level  Mt+i)  is  defined  as  the  closure  of  NkOMk  under  dis¬ 
junction,  conjunction,  substitution  -  provided  no  free  vari¬ 
able  becomes  bounded  during  the  substitution  process  -  and 
greatest  fixpoint  construction  (resp.  least  fixpoint  construc¬ 
tion).  In  the  sequel,  we  shall  also  call  t^-level  (resp.  p-level) 
or  z/jU-level  (resp.  /ii/-level)  of  the  fixpoint  hierarchies,  the 
level  Ni  (resp.  Mi)  or  N2  (resp.  M2). 

Theorem  3.4  (Bradfield  [4])  For  each  integer  k  there  is  a 
modal  mu-calculus  formula  q  €  Nk  which  is  not  equivalent 
to  any  modal  mu-calculus  formula  in  Nk'  with  k'  <  k. 

Arnold  [2]  shows  that  the  above  result  still  holds  restricted 
to  the  binary  tree.  From  this  stronger  result  we  also  have  ; 

Theorem  3.5  (From  Arnold  [2])  For  each  integer  k  there 
is  a  counting  mu-calculus  formula  a  E  Nk  which  is  equiva¬ 
lent  to  no  counting  mu-calculus  formula  in  Nk'  with  k'  <  k. 

Proof.  Observe  first  that  the  binary  tree  is  definable  in  the 
counting  mu-calculus  with  a  formula  of  Ni .  Moreover,  over 
the  binary  tree  (with  distinct  left  and  right  successors)  the 
counting  and  the  modal  mu-calculus  are  -  level  by  level  - 
equally  expressive.  So  Arnold’s  result  extends  to  the  count¬ 
ing  fixpoint  hierarchy.  □ 

4  Infinite  tree  automata 

We  define  here  tree  automata  that  characterize  the  ex¬ 
pressive  power  of  the  two  mu-calculi  defined  above.  Al¬ 
though  the  main  ideas  and  proof  techniques  go  back  to, 
at  least,  the  work  of  Streett  and  Emerson  on  the  mu- 
calculus  [32],  it  took  some  times  for  these  techniques  to 
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-depending  on  the  modalities  one  allows 


be  really  understood  and  generalized  to  wider  settings  than 
the  non  emptiness  or  the  model  checking  problem  for  the 
modal  mu-calculus  alone.  In  this  section,  we  more  or  le.ss 
follow  Walukicwicz’s  general  approach  [33], 

In  the  sequel,  the  alphabet  S  is  defined  as  the  powerset 
V{Prop)  of  Prop.  The  intuition  behind  this  is  that  a  vertex 
X  in  a  tree  M  is  labeled  by  the  “letter”  \{x)  e  S  defined  as 
the  set  A(.t)  =  {p  G  Prop  :  x  G  p^^}. 

An  alternating  counting  tree-automaton  is  a  tuple 

A  =  {Q,  E,(7o,  n,(5) 

for  a  finite  set  of  states  Q,  the  finite  alphabet  E,  an  initial 
state  qo  G  Q,  a  parity  index  function  fl  :  Q  — ^  W  and 
the  transition  function  6  :  Q  x  E  ->  L{Q)  where  L{Q) 
is  the  set  of  positive  FO  sentences,  called  transition  specifi¬ 
cations,  built  on  the  vocabulary  Q  where  each  state  q  £  Q 
is  seen  as  a  unary  predicate,  i.c.  the  least  set  of  FO  for¬ 
mulas  containing  formulas  q{x),  x  —  y,  x  ^  y,  and  closed 
under  conjunction,  disjunction,  existential  and  universal  FO 
quantifications. 

Remark  that  here  counting  means  that  the  automaton  is 
capable,  via  equality  and  inequality  inside  transition  speci¬ 
fications,  to  count  up  to  some  bound  the  number  of  succes¬ 
sors  of  vertices. 

A  tree-automaton  A  is  called  an  alternating  modal  tree- 
automaton  when,  for  each  q  G  Q,  each  a  G  E.  the  FO 
formula  «)  is  built  without  the  atomic  formulas  .r  =  y 
and  X  y. 

A  tree-automaton  A  is  called  a  non  deterministic  count¬ 
ing  tree-automaton  when,  for  each  q  £  Q.  a  £  E.  d{q.  a)  is 
a  disjunction  of  formulas  of  the  form 

3:ri ,  ■  ■  ■ ,  Xi,.ditf{.ri,  ■  •  • ,  ,1.7.)  A  (/,,  (.r, )  A  •  ■  ■  A  q,,  (x/,.)  A 

yz,difj{z.xi,---,x„)  ^  V  q'{A 
q'eQ' 

with  any  states  r/,, ,  . . . ,  ry/j,  not  necessarily  distinct  and  any 
Q'  C  Q  where,  again,  r/i^  predicates  only  says  that  each 
variable  is  distinct  from  any  other. 

Note  that  non  dcrministic  modal  automata  can  also  be 
defined  (sec  [  1 3])  but,  apart  for  the  non  emptiness  problem, 
they  don’t  have  all  the  interesting  properties  of  usual  notions 
of  non  deterministic  automata  such  as,  for  instance,  closure 
under  projection.  This  comes  from  the  fact  the  modal  mu- 
calculus  (or  even  polymodal  logic)  is  not  closed  under  set 
quantifiers  as  shown  by  the  “formula”  3A'(OA'  A  O-iA"). 

Given  a  graph  M,  a  run  of  ^  over  M  is  a  graph  p  which 
set  of  vertices  V’  is  some  subset  of  the  set  of  pairs  (.s,  q)  £ 
X  Q  with  (r''^  f/o)  G  and  which  set  of  edges  C 

X  is  such  that  :  for  any  pair  {s,q)  £  V’,  given 

the  local  structure  over  the  vocabulary  Q  defined  by 
dom{L^,i)  =  {s'  G  :  (s,s')  G  and,  for  each 


P  e  =  {.s'  :  ii.%q),  (s',p))  £  E^j,  one  has 

t=%,A(,s)) 

A  run  p  is  called  functional  when,  for  any  .s  G  5^^  there  is 
at  most  one  q  £  Q  such  that  (,s,  7)  G  V^. 

A  run  p  of  ^  over  M  is  an  accepting  run  when,  for  each 
infinite  path  tt  in  p  of  the  form  tt  =  {r^' ,qo).{si,q]).  ■  ■  ■ 
the  minimum  min{r)(7,)  :  |{j  G  W  :  7/  =  7j}|  =  oc}  is 
even. 

The  next  lemma  shows  that,  although  runs  arc  defined 
over  arbitrary  graphs,  these  automata  implicitly  “read”  trees 
as  input. 

Lemma  4.1  For  each  graph  M  there  is  an  accepting  run  of 
A  over  M  iff  there  is  an  accepting  run  of  A  over  T{M). 

Proof  From  left  to  right  just  notice  that  the  unwinding  of 
an  accepting  run  of  .4  over  M  is  an  accepting  run  of  .4  over 
T{M).  The  converse,  less  immediate,  can  be  proven  within 
parity  game  theory,  the  existence  of  an  accepting  run  of  .4 
over  M  being  equivalent  to  the  existence  of  a  mcmorylcss 
winning  strategy  in  some  parity  game  built  from  A  and  M . 
□ 

For  the  next  lemmas  and  theorems,  we  shall  concentrate 
on  trees. 

Given  an  automaton  .4.  we  denote  by  L{A)  the  class 
of  all  trees  M  such  that  there  exists  an  accepting  run  of 
^  over  M .  The  class  I^A)  is  called  the  language  of  trees 
recognized  by  A. 

The  following  theorem  can  be  obtained  from  the  results 
presented  in  [33].  It  also  follows  from  [  I2|. 

Theorem  4.2  For  each  class  of  tree  L.  the  following  state¬ 
ments  are  ecpdvalent : 

F  L  is  definable  with  an  MSO  sentence, 

2.  L  is  definable  with  a  counting  mu-calculus  formula. 

3.  L  =  L{A)  for  some  alternating  counting  tree  automa¬ 
ton 

4.  L  =  L{A)  for  .mine  non  deterministic^  counting  tree 
automaton  A. 

and  the  next  one  follows  from  [32]  and  [  14] 

Theorem  4.3  For  each  class  of  tree  L.  the  following  state¬ 
ments  are  equivalent : 

/.  L  is  definable  with  a  bisimulation  invariant  MSO  sen¬ 
tence. 

2.  L  is  definable  with  a  modal  p-calculus  formula, 

3.  L  =  L{A)  for  some  modal  tree  automaton  A. 

Some  particular  subclasses  of  tree-automaton  that  will 
be  useful  in  the  sequel.  Automaton  A  =  (Q,  E,  70,  fl,  (>) 

■'possibly  with  more  parity  indiees 
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is  called  a  v-automaton  (resp.  v ^-automaton  or  Biichi  au¬ 
tomaton)  when  n(Q)  =  {0}  (resp.  when  ^(Q)  =  {0, 1}). 

These  automata  characterize  the  iz-levels  and  z/^-levels 
of  the  counting  and  modal  mu-calculi  in  the  following 
sense. 

Lemma  4.4  (Expressiveness)  A  class  of  tree  L  is  recog¬ 
nized  by  a  (counting  or  modal)  u-automaton  (resp.  up- 
automaton)  iffL  is  definable  by  a  (modal  or  counting)  mu- 
calculus  formula  of  the  v-level  (resp.  of  the  up-level). 

Proof.  This  lemma  is  a  particular  case  of  the  well-known 
correspondence  between  level  of  the  mu-calculus  hierarchy 
and  the  number  of  parity  indices  needed  in  alternating  tree- 
automata.  This  correspondance  was  first  achieved,  in  the 
case  of  the  binary  tree,  by  Niwiiiski  [24].  See  [33]  for  a 
proof  in  the  counting  mu-calculus  case.  □ 

This  implies  in  particular  that  the  classes  of  languages 
recognized  by  i/-automata  or  i//i-automata  are  closed  under 
union  and  intersection. 

For  counting  automata  more  properties  are  available  : 

Lemma  4.5  The  class  of  languages  recognizable  by  count¬ 
ing  u-automata  (resp.  by  counting  up-automata)  is  closed 
under  projection. 

Proof  This  lemma  follows  from  the  next  two.  □ 

Lemma  4.6  (Simulation)  A  language  recognized  by  a 
counting  u-automaton  (resp.  a  counting  up-automaton) 
is  also  recognized  by  a  non  deterministic  counting  u- 
automaton  (resp.  a  non  deterministic  counting  up- 
automaton). 

Proof  Extension  to  arbitrary  trees  of  (a  part  of)  Muller  and 
Schupp’s  simulation  theorem  [23]  for  alternating  tree  au¬ 
tomata  over  the  binary  tree.  □ 

and 

Lemma  4.7  (Projection)  The  projection  of  a  language  rec¬ 
ognized  by  a  non  deterministic  counting  automaton  is  also 
recognized  by  a  non  deterministic  automaton  with  the  same 
set  of  states  and  parity  function. 

Proof  When  A  is  non  deterministic  counting  one  can  re¬ 
strict  runs  (over  trees)  to  be  functional  without  changing 
the  language  recognized  by  A.  Closure  under  projection 
immediately  follows  from  this  restriction.  □ 

To  conclude  this  section  on  automata,  we  recall  here  the 
heart  of  the  bisimulation  invariance  result  presented  in  [14] 
as  the  following  lemma  which  will  be  used  in  the  sequel : 

Lemma  4.8  For  each  non  deterministic  counting  tree  au¬ 
tomaton  A  there  exists  a  modal  automaton  B,  with  the  same 
set  of  states  and  parity  function,  such  that,  for  each  tree  M, 
any  infinite  set  k,  T‘^{M)  G  L{A)  iffM  G  L(B). 


Proof  See  [14]  for  a  complete  proof.  The  main  idea  is  to 
define  B  as  the  automaton  obtained  from  A  by  replacing  all 
equalities  or  inequalities  in  the  FO  formula  of  6  by  some 
true  formula. 

□ 

5  Bisimulation  invariance  in  monadic  Ei 

In  this  section,  we  prove  theorem  1.1.  For  this,  we  first 
prove  the  analogue  for  unwinding  invariance,  from  which, 
applying  Lemma  4.4  and  Lemma  4.8,  we  obtain  the  desired 
result. 

So  our  goal  is  to  prove  the  following  theorem  : 

Theorem  5.1  The  unwinding  invariant  fragment  of  the 
level  El  (resp.  Ilij  in  the  monadic  hierarchy  equals  the 
u-level  ( resp.  the  p-level)  of  the  counting  mu-calculus  hier¬ 
archy. 

Proof  By  duality,  it  is  sufficient  to  prove  the  result 
for  monadic  Ei.  Moreover,  it  is  a  classical  result,  from 
Lemma  4.4  stated  above,  that  properties  definable  in  the  u- 
level  of  the  counting  mu-calculus  are  definable  in  monadic 
El.  So  it  remains  to  prove  that : 

Lemma  5.2  Any  unwinding  invariant  formula  of  monadic 
El  is  equivalent  to  a  formula  of  the  the  u-level  of  the  count¬ 
ing  mu-calculus. 

In  order  to  do  so,  one  must  understand  that,  as  stated  in 
the  introduction,  it  is  not  sufficient  to  restrict  our  analysis 
to  trees  -  although  an  unwinding  invariant  property  is  fully 
determined  by  its  models  among  trees  -  because  over  trees, 
monadic  Ei  is  strictly  more  expressive  than  the  //-level  of 
the  counting  mu-calculus  as  the  (even  FO)  formula  3xp(x) 
shows. 

First,  remark  that  an  unwinding  invariant  property  only 
speaks  about  the  vertices  reachable  from  the  root  because 
any  graph  M  has  the  same  unwinding  as  the  subgraphs  in¬ 
duced  by  these  vertices.  This  leads  to  the  following  defini¬ 
tions.  Let  c(rM)  be  the  set  of  all  vertices  which  are  reach¬ 
able  from  the  root  tm  via  a  (directed)  path  (called  in  the 
sequel  the  directed  connected  component  induced  by  r^/). 
For  each  MSO  sentence  p,  let  us  define  as  the  formula 
p  relativized  to  the  directed  connected  component  c{r)  of 
r,  i.e.  p‘^  is  obtain  from  p  replacing  any  first  order  or  set 
quantification  by  quantifications  over  vertices  or  subsets  of 
c(r).  With  this  definition  and  the  previous  remark  it  appears 
that  if  p  is  invariant  under  unwinding  then  p  is  equivalent 
to  p^-,  in  particular,  if  p  is  in  monadic  Ei  then  p^  is  also 
(definable)  in  monadic  Ei . 

So  let  p  be  an  unwinding  invariant  monadic  Ei  formula. 
By  the  Gaifman  normal  form  theorem  for  first  order  logic, 
there  is  some  integer  k  such  that  p  is  of  the  form 

p  =  3Z.pi 
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with  Z  a  finite  vector  of  sets  variables  and  is  a  finite 
boolean  combination  of  FO  formulas  G(Z)  of  the  form 

G{Z)  =  . .  .,iii.e{ui,. .  .,ui,  Z) 

where  9{xl\ , . . .  ,ui,  Z,Y)  is  a  formula  stating  that  for  all 
distinct  indices  .s  and  t  among  [1,/],  disf{us,ut)  >  2k 
and  Ball{us,k)  |=  tps{Z)  for  some  FO  formulas  xl>s{Z), 
with  disf.{x,  y)  defined  as  the  length  of  the  shortest  undi¬ 
rected  path  from  x  lo  y  and  Ball{x,k)  is  defined  as  the 
substructure  of  M  induced  by  the  set  of  all  vertices  y  such 
that  dist{x,  y)  <  k. 

For  notational  simplicity  we  assume  that  ip  is  of  the  form 
if  =  3Z.G{Z)A-^G'{Z) 

with  G{Z)  of  the  form  3xi9{u,  Z)  and  G'{Z)  of  the  form 
3u'9'{u',  Z).  One  can  check  that  this  proof  easily  extends 
to  the  general  case. 

The  rclativization  ip'^  of  ip  to  the  strongly  connected  com¬ 
ponents  of  r  is  then  given  by  : 

=  3Z.G"(Z)  A -nG'''(Z) 

with  G‘-'{Z)  given  by  3?i  G  c{r).9’'{u,  Z)  and  G'‘^{Z)  given 
by  3u/  G  r.{r).9'‘'{v',Z). 

Now,  wc  know  that  the  formula  ip^^  cannot  have  for  ar¬ 
bitrarily  large  integers  n  a  model  M„,  where  the  points  of 
c{r)  satisfying  9‘'  have  (directed)  distance  more  than  n  from 
r.  Otherwise,  the  ultraproduct  of  the  modulo  any  non 
principal  ultraliltcr,  would  not  satisfy  ip^,  contrary  to  the  Si 
definability  of  p''  and  Los  ultraproduct  theorem  (see  for  in¬ 
stance  [29])  which  says  that  the  class  of  models  of  any  Ei 
formula  is  closed  under  ultraproduct. 

So  given  integer  n  such  that  no  model  iM„  for  n  >  n 
satisfies  p'',  it  turns  out  that  formula  p^  is  equivalent  to  for¬ 
mula  3Z.-.G"''(Z)  A  G"{Z)  with 

G"(Z)  =  3u  G  CTr{r).9^{ii,Z) 

and  cw{r)  the  set  of  all  points  directly  accessible  from  r  in 
at  most  n  steps. 

Now  it  is  not  difficult  to  see  that  -iG"’(Z)  is  a  fixpoint 
formula  of  the  ;z-lcvcl  over  trees  (i.e.  unwindings)  and 
G"(Z)  is  even  a  fixpoint  free  formula  on  unwindings  as 
well.  By  unwinding  invariance,  this  says  that  p  is  equiva¬ 
lent  to  some  formula  of  the  form  3Zpa'  (Z)  with  a'  G  Aq. 

Then,  over  trees.  Lemma  4.5,  ensures  3Zpc^i{Z)  is 
equivalent  to  some  Pa  for  some  a  in  the  i/-level  as  well 
hence,  again  by  invariance  under  unwinding,  p  is  equiva¬ 
lent  over  arbitrary  models  to  pa-  □ 

6  Bisimulation  invariance  in  monadic  E2 

In  this  section,  wc  prove  theorem  1.2.  For  this,  again, 
wc  first  prove  the  analogue  for  unwinding  invariance,  from 


which,  applying  Lemma  4.4  and  Lemma  4.8  wc  obtain  the 
desired  result.  So  our  goal  is  to  prove  the  following  theo¬ 
rem  : 

Theorem  6.1  The  unwinding  invariant  fragment  of  the 
level  E2  (resp.  II2)  in  the  monadic  hierarchy  equals  the 
up-level  (resp.  the  pu-level)  of  the  counting  mu-calculus 
hierarchy. 

Proof.  By  duality,  it  is  again  sufficient  to  prove  the  result  for 
monadic  S2.  Moreover,  it  is  again  a  classical  result,  from 
Lemma  4.4,  that  properties  definable  in  the  i///-level  of  the 
counting  mu-calculus  are  definable  in  monadic  £2-  So  it 
remains  to  prove  that : 

Lemma  6.2  Any  unwinding  invariant  formula  of  monadic 
E2  is  equivalent  to  a  formula  of  the  the  up-level  of  the 
counting  mu-calculus. 

Proof.  Somehow,  the  proof  in  the  case  of  E2  is  simpler  than 
El  for  it  is  true  that,  over  trees,  any  monadic  E2  formula  is 
equivalent  to  a  r^^-formula  which  remains  to  be  shown. 

For  this,  we  use  definability  in  weak  monadic  second 
order  logic  as  an  intermediate  step.  Remember  that  weak 
monadic  second  order  logic  is  monadic  second  order  logic 
with  set  quantification  restricted  to  finite  sets. 

A  priori,  using  weak  MSOL  doesn’t  make  .sense.  In¬ 
deed,  over  arbitrary  trees,  weak  MSOL  is  incomparable 
with  MSOL.  However,  Theorem  4.2  and  the  definition  of 
tree  automata  show  that  analyzing  MSOL  over  trees  can  be 
made  over  finitely  branching  trees  only.  In  fact  any  MS  for¬ 
mula  satisfiablc  over  the  class  of  trees  has  a  model  which  is 
finitely  branching,  i.e.  with  finitely  many  successors  from 
each  vertex. 

For  this  reason,  wc  can  restrict  our  study  to  finitely 
branching  trees  and  then  weak  MSOL  is  a  fragment  of 
MSOL  since,  in  this  case,  finite  sets  arc  definable  in  MSOL. 

The  sketch  of  the  proof  is  then  the  following.  First  wc 
prove 

Lemma  6.3  Any  language  of  (finitely  branching)  trees  de- 
finahle  in  monadic  Ej  is  definable  in  weak  MSOL. 

Then,  by  closure  of  weak  MSOL  under  negation,  this  shows 
that  monadic  Hi  is  also  included  into  weak  MSOL.  Hence 
monadic  E2  is  included  into  the  existential  projection  of 
weak  MSOL.  Now,  because  the  class  of  languages  de¬ 
finable  by  (///-automaton  is  closed  under  projection  (sec 
Lemma  4.5)  we  prove 

Lemma  6.4  Any  languages  of  (finitely  branching)  trees  de¬ 
finable  in  weak  MSOL  is  recognizable  by  a  up-automaton. 

which  conclude  the  proof  of  Lemma  6.2.  □ 

In  order  to  prove  Lemma  6.3  wc  can  adapt  the  work  of 
Len/.i  [19],  to  the  case  of  finitely  branching  trees.  Another 
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approach,  following  the  idea  of  Skurczihski  [31],  is  to  use 
weak  j//i-automaton  as  an  intermediate  step. 

We  recall  here  that  a  tree  automaton  .4  is  a  weak  au¬ 
tomaton  when,  for  any  q  G  Q,  any  a  G  E,  for  each  states  q' 
occurring  in  formula  6{q,  a),  Q.{q)  <  fl{q'). 

Then,  adapting  the  proof  presented  in  [30]  for  the  k-ary 
case,  one  has  : 

Lemma  6.5  Any  FO  definable  tree  languages  is  recogniz¬ 
able  by  a  weak  strongly  non  deterministic  vfi-automaton. 

But  then,  since  languages  recognizable  by  strongly  non  de¬ 
terministic  weak  i//r-automaton  are  closed  under  projection, 
it  is  sufficient  to  show  that 

Lemma  6.6  Any  languages  of  (finitely  branchinbg  trees) 
recognizable  by  a  weak  automaton  is  definable  by  a  weak 
MSOL  formula. 

And  this  last  lemma  is  an  adaptation  of  similar  result,  by 
Mostowski  [22],  over  the  binary  tree.  □ 

For  Lemma  6.4,  it  shall  be  clear  that  it  can  be  proved  ex¬ 
tending,  in  a  quite  straightforward  way  an  analogous  proof 
due  to  Rabin  [27]  in  the  binary  case. 

This  concludes  the  proof  of  Theorem  6. 1  for,  applying 
Lemma  4.4,  languages  recognizable  by  iz/x-automata  equal 
languages  definable  by  (counting)  fixpoint  formulas  of  the 
iz/u-level.  □ 

7  Above  the  level  E2 

In  this  section,  we  prove  Theorem  1.3  and  Theorem  1.4. 
For  this,  we  assume  that  the  reader  has  a  general  knowledge 
of  the  theory  of  parity  games'*.  If  not,  Jurdziriski’s  [16]  gives 
an  appropriate,  and  up  to  date,  overview  of  the  topic. 

From  [4]  we  know  that,  given  an  integer  k,  expressing 
the  fact  that  a  position  in  an  arbitrary  parity  game  with  sets 
of  parity  indices  [0,  k]  cannot  be  done  with  any  mu-calculus 
formula  of  the  level  Nk-  From  [2]  we  know  that  this  is  still 
the  case  restricted  to  games  of  degree  two. 

Remark  that  in  monadic  second  order  logic,  this  may 
also  be  difficult  to  express  because  in  some  sense  it  requires 
some,  at  least  implicit,  construction  of  a  (memoryless)  strat¬ 
egy  for  player  0  which  is  winning  for  any  plays  starting  in 
the  distinguished  position.  And  winning  strategies  are  pe¬ 
culiar  sets  of  edges  which  are,  in  general,  not  even  definable 
in  MSOL. 

Still  we  prove  Theorem  1.3  redefining  binary  games  on 
graphs  (over  a  more  complex  signature)  on  which  guessing 
a  winning  strategy  will  become  possible  with  a  single  ex¬ 
istential  set  quantification.  The  main  difficulty  is  only  to 

“'with  the  winning  criteria  defined  as  an  even  minimal  index  met  in¬ 
finitely  often. . . ! 


ensure  that  such  a  definition  leads  to  bisimulation  invariant 
class  of  parity  games. 

More  precisely,  given  some  integer  k  >  2,  given  Prop 
defined  by  Prop  =  {pi,Pr,Por  "  jPk}<  any  graph  M  such 
that  both  {pf^ ,  p^  }  and  {p^ ,  ■  ■  • ,  p^^  }  are  partitions  of  the 
set  of  vertices  reachable  from  the  source  r  -  which  is  a 
bisimulation  invariant  property  -  is  from  now  on  interpreted 
as  a  parity  game  as  follows  : 

1 .  any  position  (reachable  from  the  root)  is  a  position  of 
player  0, 

2.  a  move  from  such  a  position  is  made  as  follows :  player 
0  chooses  one  predicate  G  {pi,Pr}  and  then  player 
1  chooses  the  new  position  y  G  such  that  y  G 
p^^ iy)  and  {x,y)  G  , 

3.  disjoint  predicates  po.  ■■■,Pk  encode  the  parity  indices 
of  each  of  these  positions. 

Theorem  1 .3  is  then  a  consequence  of  the  following  lemma : 

Lemma  7.1  For  each  integer  k  >  2,  the  class  Wq  of  (en¬ 
coded)  games  over  the  set  of  indices  [0,  k]  where  the  root  is 
a  winning  position  for  player  0  is  bisinuilation  closed,  de¬ 
finable  with  a  monadic  S3  formula  and  not  definable  in  the 
level  Ni,-  of  the  mu-calculus. 

Proof.  First  observe  that  any  bisimulation  relation  relates 
winning  positions  for  player  0  to  winning  position  for  player 
0  so  the  class  ITo’  is  indeed  bisimulation  closed. 

Then,  it  is  clear  that  any  binary  game  can  be  encoded  in 
such  a  way,  Moreover,  computing  with  a  mu-calculus  for¬ 
mula  the  fact  that  the  root  r  is  a  winning  positions  for  player 
0  in  this  encoding  is  as  difficult  -  in  terms  of  number  of  al¬ 
ternations  of  least  and  greatest  fixpoints  -  as  computing  the 
fact  that  the  root  r  is  a  winning  position  for  the  same  player 
in  binary  games  so,  following  the  result  of  Arnold  [2],  it 
requires  at  least  fc  -f-  1  alternations  of  least  and  greatest  fix- 
points. 

Now,  to  conclude  the  proof  it  is  sufficient  to  show  that 
the  class  Wq  is  definable  in  monadic  S3.  But  this  can  eas¬ 
ily  be  achieved  as  follows  :  first,  with  some  existential  set 
quantifier,  one  can  guess  a  winning  strategy  for  player  0, 
e.g.  guessing  the  set  of  positions  X  from  which  player  0 
chooses  predicate  p^.  Then  it  is  clear  that  a  /rj/-formula  of 
the  mu-calculus  (henceforth  a  monadic  112  formula)  is  suffi¬ 
cient  to  check  that  this  set  X  is  indeed  a  winning  strategy  for 
player  0  in  any  plays  that  start  at  the  root.  Indeed,  one  has  to 
check  the  minimal  parity  condition  on  any  cycle  reachable 
from  the  root  when  player  0  follows  the  strategy  given  by  set 
A'.  In  the  intended  pj/-formula,  one  least  fixpoint  enables 
us  to  reach  any  of  these  cycles  and  then,  one  nested  greatest 
fixpoint  enables  us  to  check  that  the  minimum  parity  index 
met  on  each  of  these  cycles  is  even. 
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Guessing  a  winning  strategy  and  checking  that  it  is  win¬ 
ning  for  player  0  can  thus  be  expressed  in  monadic  S3.  □ 

The  proof  of  Theorem  1 .4  is  also  almost  done.  Indeed, 
from  the  proof  of  previous  lemmas  it  is  clear  that  with  one 
existential  quantification  over  sets  of  edges  the  winning  po¬ 
sition  for  player  0  can  be  expressed  as  a  monadic  S3  unary 
predicate.  But  it  also  follows  from  Lemma  4.4  that  checking 
a  fixpoint  formula  on  a  graph  can  be  done  via  a  monadic  Si 
transduction  which  leads  to  computing  winning  positions 
with  as  many  parity  indices  as  the  alternation  depth  of  the 
formula.  Moreover,  if  the  input  graph  is  of  bounded  de¬ 
gree  (or  bounded  tree-width)  then  the  resulting  parity  game 
is  also  of  bounded  degree  (or  bounded  tree-with).  Now 
Courcellc  shows  that  over  graphs  with  bounded  degree  (or 
tree-width)  quantification  over  edges  can  be  “simulated”  by 
quantifications  over  vertices  via,  again,  a  monadic  Si  trans¬ 
duction.  Altogether,  this  says  that  over  graphs  of  bounded 
degree  (or  bounded  tree-width)  mu-calculus  formulas  can 
be  translated  into  monadic  S3  formulas.  This  concludes  the 
proof  of  Theorem  1.4.  □ 
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Abstract 

We  introduce  a  simple  game  theoretic  approach  to  satisfi¬ 
ability  checking  of  temporal  logic,  for  LTL  and  CTL,  which 
has  the  same  complexity  as  using  automata.  The  mecha¬ 
nisms  involved  are  both  explicit  and  transparent,  and  un¬ 
derpin  a  novel  approach  to  developing  complete  axiom  sys¬ 
tems  for  temporal  logic.  The  axiom  systems  are  naturally 
factored  into  what  happens  locally  and  what  happens  in  the 
limit.  The  completeness  proofs  utilise  the  game  theoretic 
construction  for  satisfiability:  if  a  finite  set  of  formulas  is 
consistent  then  there  is  a  winning  strategy  (and  therefore 
construction  of  an  explicit  model  is  avoided). 


1  Introduction 

The  automata  theoretic  approach  to  satisfiability  check¬ 
ing  for  temporal  logic  is  very  popular  and  successful  [6,  17], 
However  there  is  a  cost  with  the  involvement  of  automata 
mechanisms  and  in  particular  the  book  keeping  implicit  in 
the  product  construction,  when  a  local  automaton  is  paired 
with  an  eventuality  automaton.  While  this  is  not  an  imped¬ 
iment  for  checking  satisfiability  it  appears  to  be  for  other 
formal  tasks  such  as  showing  that  an  axiomatisation  of  a 
temporal  logic  is  complete.  When  proving  completeness, 
one  needs  to  establish  that  a  finite  consistent  set  of  formulas 
is  satisfiable.  It  is  not  known,  in  general,  how  to  plug  into 
such  a  proof  automata  theoretic  constructions  (such  as  prod¬ 
uct  and  determinisation)  for  satisfiability.  Instead  standard 
completeness  proofs  either  appeal  to  “canonical”  structures 
built  from  maximal  consistent  sets  [  1 5 ,  8]  or  tableaux  which 
explicitly  build  models  from  consistent  sets,  as  illustrated 
by  the  delicate  proofs  of  completeness  for  CTL*  [14]  and 
modal  /i-calculus  [18],  and  even  the  proofs  of  completeness 
for  LTL  [7,  13]  (future  linear  time  logic)  and  CTL  [5]  (com¬ 
putation  tree  logic). 

In  this  paper  we  introduce  a  simple  game  theoretic  ap¬ 
proach  to  satisfiability  checking  of  temporal  logic,  for  LTL 
and  CTL,  which  has  the  same  complexity  as  using  au¬ 


tomata.  The  mechanism  involved,  the  use  of  a  “focus”, 
is  both  explicit  and  transparent,  and  underpins  a  novel  ap¬ 
proach  to  developing  complete  axiom  systems  for  temporal 
logic.  The  axiom  systems  are  naturally  factored  into  what 
happens  locally  and  what  happens  in  the  limit.  The  com¬ 
pleteness  proofs  use  the  game  theoretic  construction  for  sat¬ 
isfiability:  if  a  finite  set  of  formulas  is  consistent  then  there 
is  a  winning  strategy  (and  therefore  construction  of  an  ex¬ 
plicit  model  is  avoided). 

Although  the  origin  of  these  games  is  model  checking 
CTL*  [12],  it  remains  to  be  seen  if  the  game  technique 
extends  to  satisfiability  checking  of  CTL*  and  modal  p- 
calculus.  Moreover,  it  remains  to  be  seen  if  the  technique  is 
practically  viable  for  testing  satisfiability  of  LTL  and  CTL. 

2  LTL 

We  present  LTL  [7]  in  positive  form,  where  only  atomic 
formulas  are  negated.  Let  Prop  be  a  family  of  atomic  propo¬ 
sitions  closed  under  negation,  where  =  q,  and  contain¬ 
ing  the  constants  tt  (true)  and  ff  (false).  Formulas  of  LTL 
are  built  from  Prop  using  boolean  connectives  V  and  A,  the 
unary  temporal  operator  X  (next)  and  the  binary  temporal 
connectives  U  (until)  and  its  dual  R  (release). 

We  assume  a  usual  w-model  for  formulas,  consisting  of 
an  infinite  sequence  of  states  which  are  maximal  consistent 
sets  of  atomic  formulas.  A  state  s  therefore  obeys  the  con¬ 
dition  that  for  any  q  e  Prop,  q  e  s  iff  -r;  ^  s,  and  tt  e  s 
and  f  f  ^  s.  The  semantics  inductively  defines  when  an  lj- 
sequence  of  states  a  satisfies  a  formula  $,  written  a  |=  $. 
In  the  case  of  5  G  Prop,  cr  |=  g  iff  g  is  in  the  initial  state  of 
cr.  The  clauses  for  the  boolean  connectives  are  as  usual.  If 
cr  =  SqSi  . . .  and  i  >  0  then  cr*  =  .s^Si+i  ...  is  the  ith  suffix 


of  a.  The  remaining  clauses  are  as  follows. 

(7  1= 

iff 

(7!  h  ^ 

<7  ^ 

iff 

3i  >  0.  c7*  1=  and 

■  0  <  j  <  i.  cr^  \=  ^ 

cr  1= 

iff 

Vi  >  0.  (T*  1=  or 

3 j  :  0  <  j  <  i.  \=  $ 
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Wc  assume  that  F^'  (eventually  ^')  abbreviates  ttf/tK  and 
its  dual  G'i'  (always  (&)  abbreviates  The  meanings 

of  U  and  R  are  determined  by  their  fixed  point  definitions, 
is  the  least  solution  to  q  =  ’T  V  ($  A  Xa)  whereas 
is  the  largest  solution  of  a  =  ^'  A  ($  V  X(»). 

A  formula  $  is  satisfiable  if  there  is  a  model  cr  such 
that  cr  1=  In  the  naive  tableau  approach  to  deciding 
satisfiability,  one  constructs  an  “or”  decision  tree.  The 
root  is  a  finite  set  of  initial  formulas,  and  the  decision 
question  is  whether  their  conjunction  is  satisfiable.  Child 
nodes  arc  produced  by  local  rules  on  formulas.  A  node 
r  U  {<!>  A  'I'}  has  child  F  U  A  node  F  U  V  'I'} 

has  two  children  Fu  {$}  and  Fu  Formulas  and 
arc  replaced  by  their  fixed  point  unfolding,  'F  V  (<F  A 
A'(<]?[/^'))  and  A  ($  V  After  repeated  appli¬ 

cations  of  these  rules,  a  node  without  children  has  the  form 

where  each  (j,  e  Prop.  If 
the  set  P  =  {c/i, . . .  ,q,i}  is  unsatisfiable  then  the  node 
is  an  unsuccessful  leaf.  If  P  is  satisfiable  and  m  =  0 
then  the  node  is  a  successful  leaf.  Otherwise  a  new  child 
....  is  produced,  which  amounts  to  moving  to  a 
new  state. 

Nodes  with  until  or  release  formulas  may  continually 
produce  children,  and  therefore  one  also  needs  another  cri¬ 
terion  for  when  a  node  counts  as  a  leaf.  An  obvious  candi¬ 
date  is  when  a  node  is  a  repetition,  contains  the  same  for¬ 
mulas  as  an  earlier  node  (and  in  between  there  is  at  least 
one  application  of  the  new  state  rule).  Whether  or  not  such 
a  leaf  is  successful  will  depend  on  whether  formulas  arc  the 
result  of  the  fixed  point  unfolding  of  a  release  or  an  until 
formula.  A  repeat  of  should  be  successful  whereas  a 
repeat  of  <I>!7 (F  is  unsuccessful. 

Consider  the  following  example  decision  tree,  where  set 
braces  arc  dropped  (and  tt  and  ff  arc  dispensed  with  and 
so  the  unfolding  of  F'F  is  (F  V  XF\F  and  the  unfolding  of 
G\F  is  vF  A  A"G^'). 

Fq.  XGFq 

q  V  XFq.  XGFq 

q.XGFq  XFq.  XGFq 

-  Next  -  Next 

GFq  Fq.  GFq 

Fq  A  XGFq  Fq.  Fq  A  XGFq 

Fq.  XGFq  Fq.  XGFq 

Next  labels  a  transition  to  a  new  state.  Both  leaves  in  this 
tree  are  repetitions  of  the  root.  However  the  left  leaf  should 
count  as  successful  because  the  formula  Fry  at  the  initial 
node  is  “fulfilled”  in  the  left  branch,  giving  the  model  .Sq 
where  q  e  .so-  In  contrast  Fq  is  not  fulfilled  in  the  right 
branch  and  is  thereby  “regenerated”,  and  therefore  the  right 
leaf  should  count  as  unsucccsful. 


The  problem  of  which  fixed  points  arc  regenerated  dis¬ 
appears  in  the  automata  theoretic  approach  to  satisfiability 
[17j.  Roughly  speaking,  the  decision  tree  is  then  only  part 
of  the  story.  It  is  captured  by  the  “local”  automaton  and  one 
also  needs  to  factor  in  the  “eventuality”  automaton  which 
automatically  deals  with  regeneration  of  fixed  points,  and 
therefore  the  problem  docs  not  arise.  However  the  cost  is 
the  u.sc  of  the  product  construction  between  the  two  au¬ 
tomata.  While  this  is  not  an  impediment  for  checking  satis¬ 
fiability  it  appears  to  be  for  other  formal  tasks  such  as  show¬ 
ing  that  an  axiomatisation  of  a  temporal  logic  is  complete. 

We  now  show  that  a  simple  game  theoretic  approach  to 
satisfiability  checking,  where  the  mechanisms  arc  both  ex¬ 
plicit  and  transparent,  has  the  virtue  that  it  also  leads  to  very 
simple  proofs  of  completeness  for  both  LTL  and  CTL. 

3  Games  for  LTL 

In  the  naive  tableau  approach  to  satisfiability  there  are 
“or”  choices  but  there  are  no  “and”  choices.  Recasting  as  a 
game,  “or”  choices  are  3-choiccs  for  the  player  3  and  “and” 
choices  arc  V-choices  for  the  player  V.  The  role  of  player  3 
is  that  of  verifier,  “I  want  to  show  that  the  initial  set  of  for¬ 
mulas  is  satisfiable”  whereas  the  role  of  V  is  that  of  refuter, 
“I  want  to  show  that  the  initial  set  of  formulas  is  unsatisfi- 
ablc”.  In  a  position  F,  V$2  player  3  chooses  the  disjunct 
T>,.  and  play  continues  from  the  position  F,  The  idea  is 
that  3  (V)  has  a  winning  strategy  iff  the  initial  set  of  formu¬ 
las  is  satisfiable  (unsatisfiable). 

We  need  to  force  player  V  to  make  choices.  A  new  com¬ 
ponent.  the  “focus”,  is  introduced  into  a  set  of  formulas  for 
this  purpose.  One  of  the  formulas  in  a  position  is  in  focus. 
We  write  [<I>].  F  to  represent  the  position  F  U  {<!>}  when  <I> 
is  in  focus.  Player  V  chooses  which  formula  is  in  focus.  If 
it  is  an  “and”  formula  then  V  chooses  which  subformula  to 
keep  in  focus.  During  a  play  V  may  also  change  mind,  and 
move  the  focus  to  a  different  formula. 

Given  a  starting  formula  ^>o  (the  conjunction  of  the  ini¬ 
tial  formulas)  we  will  define  its  focus  game  G(^>()).  The 
set  of  subformulas  of  $o.  Sub($o),  is  defined  as  expected 
but  with  the  requirement  that  the  unfolding  of  an  until 
(F  V  (<I>  A  X(5>(/T'))  is  a  subformula  of  ^>[/\F  and  the  un¬ 
folding  of  a  release  'F  A  (<I>  V  A(<I>7?^))  is  a  subformula  of 
A  position  in  a  play  of  G(<I>o)  is  an  clement  [‘F],F 
where  <I>  €  Sub(5>o)  and  F  C  Sub($o)  -  {‘^l-  A  play 
of  the  game  G($u)  is  a  sequence  of  positions  FqFi  . . .  Pn 
where  Fo  is  the  initial  position  [<I>o],  and  the  change  in  po¬ 
sition  F,  to  F,  +  i  is  determined  by  one  of  the  moves  of  Fig¬ 
ure  1 .  They  arc  divided  into  three  groups.  First  are  rules  for 
3  who  chooses  disjuncts  in  and  out  of  focus.  Second  arc  the 
moves  for  player  V  who  choo.ses  which  conjunct  remains  in 
focus  and  who  also  can  change  focus  with  the  rule  change. 
Finally,  there  are  the  remaining  moves  which  do  not  involve 
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Player  3 


[^0  V  ^i],r  [^],$o  v$i,r 

[^*],r  [«>].$*,  r 

Player  V 

[$oA$i],r  [$],«', r 

Other  moves 

[$[/«'].  r  [?)'],$[/«'.  r 

v($AX($f/«'))],r  v($AX($t/«')),r 

A  ($  V  x($j?,«'))j,  r  [$'].  ^  A  ($  V  x{^R^)).  r 

A^i,r 

Figure  1.  Game  moves 

any  choices,  and  so  neither  player  is  responsible  for  them. 
These  include  the  fixed  point  unfolding  of  until  and  release 
in  and  out  of  focus,  the  removal  of  A  out  of  focus  and  the 
next  state  rule,  next,  where  the  focus  remains  with  the  sub¬ 
formula  of  the  next  formula  in  focus.  It  is  therefore  incum¬ 
bent  on  V  to  make  sure  that  an  X  formula  is  in  focus  when 
next  is  applied. 

The  next  ingredient  in  the  definition  of  the  game  is  the 
winning  conditions  for  a  player,  when  a  play  counts  as  a 
win. 

Definition  1  Player  V  wins  the  play  Pq,  ....  if 

1.  Pn  is  [q].r  and  {q  is  ff  or  ^q  e  T)  or 

2.  Pn  is  [$P5'].r  and  for  some  i  <  n  the  position  P, 
is  [$P^'].  r  and  between  P,  . . .  Pn  player  V  has  not 
applied  the  rule  change. 

Therefore  V  wins  if  there  is  a  simple  contradiction  or  a  re¬ 
peat  position  with  the  same  until  formula  in  focus  and  no 
application  of  change  between  the  repeats. 

Definition  2  Player  3  wins  the  play  Pq,  . . . ,  P,,  if 

1.  Pn  is  [(7i], . . . ,  f/n  and  {ryi, . . . .  qn}  is  satisfiable  or 

2.  Pn  is  r  and  for  some  i  <  n  the  position  Pi  is 

[$P^'],r  or 

3.  Pn  is  [$],r  and  for  some  i  <  n  the  position  Pi  is 
[$], r  and  between  P^ . .  .Pn  player  V  has  applied  the 
rule  change. 


So  3  wins  if  player  V  is  unable  to  focus  on  a  X  formula 
so  that  next  can  be  applied  when  the  atomic  formulas  are 
satisfiable.  The  other  two  conditions  cover  repeat  positions. 
First  is  the  case  if  the  repeat  position  has  the  same  release 
formula  in  focus,  and  second  is  the  case  of  a  repeat  when 
the  same  formula  is  in  focus  and  change  has  been  applied 
between  the  repeat  positions.  The  following  upper  bound 
on  the  length  of  a  play  is  obvious. 

Fact  1  Every  play  of  G($o)  has  finite  length  less  than 
|Sub(3>o)|  X 

A  player  wins  the  game  G($o)  if  the  player  is  able  to  win 
every  play  of  the  game,  that  is  has  a  winning  strategy' .  The 
following  is  a  simple  consequence  of  Fact  1  and  the  fact  that 
the  winning  conditions  are  mutually  exclusive. 

Fact  2  Every  game  G($o)  has  a  unique  winner. 

Next  we  come  to  the  game  characterisation  of  satisfiabil¬ 
ity,  which  we  split  into  two  halves. 

Proposition  1  If  3  wins  the  game  G($o)  fhen  $o  is  satisfi¬ 
able. 

Proof:  Assume  3  wins  the  game  G(^>o).  Consider  the 
play  where  V  uses  the  following  optimal  strategy.  Let 
. . . ,  be  a  priority  list  of  all  until  subfor¬ 

mulas  of  $0,  in  decreasing  order  of  size.  We  say  that 
is  present  in  a  position  P  if  either  e  P  or 

V  ($  A  e  P  or  X(^U<It)  e  P.  Player  V 

starts  with  the  focus  on  i>o.  If  the  formula  in  focus  is  a 
release  formula  <E>P^'  and  contains  an  until  subformula 
then  V  chooses  ^  when  the  release  formula  is  unfolded.  If 
the  formula  is  a  conjunction  then  V  chooses  a  conjunct  with 
an  until  subformula.  If  the  focus  remains  on  a  release  for¬ 
mula  or  ends  up  on  a  member  of  Prop  then  V  changes  focus, 
if  this  is  possible,  to  the  until  formula  which  is  present  in  the 
position  and  which  is  earliest  in  the  priority  list.  If  the  focus 
is  on  an  until  formula  then  V  keeps  the  focus  on  it 

until  it  is  “fulfilled”,  that  is  until  player  3  chooses  when 
it  is  unfolded.  This  until  formula  is  then  moved  to  the  end 
of  the  priority  list.  Player  V  then  changes  focus  to  the  ear¬ 
liest  until  formula  in  the  priority  list  which  is  present  in  the 
position,  if  this  is  possible.  This  argument  is  then  repeated. 
By  assumption  player  3  wins  against  this  strategy,  and  the 
play  has  finite  length.  It  is  now  straightforward  to  extract 
an  eventually  cyclic  model  from  the  play,  where  every  until 
formula  present  in  some  position  will  be  fulfilled,  □ 

Next  we  prove  the  converse  of  Proposition  1 .  One  proof 
is  to  show  how  a  winning  strategy  for  3  can  be  extracted 

'Formally  a  winning  strategy,  see  for  example  [9],  for  player  3  is  a  set 
of  rules  7r  of  the  form,  if  the  play  so  far  h  Pq  ...  Pn  and  Pn  is  ['i>oV4>i].  F 
([<!>],  <I>o  V  4)1,0  then  choose  [4>i],r  ([<t>]. 'F;,  F).  Similarly  for  player 
V.  A  play  obeys  tr  if  all  the  moves  played  by  the  player  obey  the  rules  in 
TT.  A  strategy  tt  is  winning  for  a  player  if  she  wins  every  play  in  which  she 
uses  TT. 
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from  a  model  of  $o-  However  we  provide  an  alternative 
proof  which  is  the  key  to  obtaining  a  complete  axiom  sys¬ 
tem.  We  utilise  an  observation  from  fixed  point  logics  about 
least  fixed  points.  Given  Park’s  fixed  point  induction  prin¬ 
ciple  (1)  below  and  that  a  fixed  point  is  equivalent  to  its  un¬ 
folding  (2),  Lemma  I  below  holds  (as  observed  by  a  num¬ 
ber  of  researchers,  for  instance  [10,  15,  19]).  Standard  sub¬ 
stitution  is  assumed,  ^'{$/y}  is  the  replacement  of  all  free 
occurrences  of  y  in  d/  with  3>.  Moreover  we  write  |=  $  to 
mean  <I>  is  valid  (true  everywhere  in  all  models). 

(1)  if  ^  'I'{$/y}  i>  then  1=  fiY.  ^  <I> 

(2)  ^ /ly.vE' ^  ^'{/iy.'i'/y} 

Lemma  I  If  Y  is  not  free  in  and  <I>  A  /<y.  is  satisfiable 
then  the  formula  $  A  (PK/iy  A  ^')/y}  is  satisfiable. 

Proof:  Suppose  A  ^lY.  is  satisfiable,  but  |= 

\&{(//,y.  -'<!>  A  ^')/y}  — >  Therefore  (=  \I'{(//,y.  ^<I>  A 

T')/y}  -'<!>  A  ^'{(//,y.  "1$  A  Hence  by  (2) 

1=  ^{(//y.  -i<I>  A  (I')/y}  — *  t^Y.  -1#  A  and  so  by  (1) 
1=  /.lY.  which  contradicts  that  A  fjY.  'i'  is  satis- 

fiable.  □ 

Lemma  1  sanctions  the  following  property  of  until  un¬ 
folding. 

Lemma  2  //'<!>'  A  (<I>(7 'I')  is  satisfiable  then  <!’'  A  ('I'  V  (<I>  A 
A'((<I>  A  A  -I'L'))))  is  satisfiable. 

Proof:  Assume  <!>'  A  (<!>[/ '■P)  is  satisfiable.  So  there  is  a 
model  a  such  that  a  \=  <!>'  and  n  |=  <Pt/5',  and  therefore 
a'  1=  and  |=  ip  for :  0  <  j  <  i,  for  some  i  >  0. 
ALSO  assume  '!>'  A  (^'  V  (<!>  A  A'((<I>  A  -i(I>')(/('P  A  -'<P')))) 
not  satisfiable,  and  so  the  following  validity  holds  |=  <!>'  ^ 
(-n'PA(-n<I>VA'((-i<PV<I>')/?(-'PvT')))).  Becau.se  rr  T' 
therefore  rr  ^  -'I'  A  (-<!>  V  A'((^<I>  V  <I>')/?(--'P  V  <!>'))). 
So  (T  1=  -I'P  and  because  a  |=  <I>LAp  it  follows  that  rr  ^ 
<P.  And  so  (T  ^  A((“><P  V  <I>')/?(-''P  V  <P')),  and  therefore 
(7*  1=  V  <I>')/?(-i\P  V  <!>').  And  so  rr’  |=  -■'P  V  <!>'  and 
ct'  ^  -,<I)V<P'vA((-n<Pv€>')/?(-’'PV<P')).  Iffj'  t=  ‘P'then 
O'*  1=  -'(P  by  the  valid  formula  above,  and  so  a'  |=  ^'P 
and  because  cr'  |=  <[>(/^'  it  follows  that  rr*  |=  tp,  and  so 
(7^  1=  Ar((-i<P  V  $')/?(^\P  V  'P')).  The  argument  is  now 
repeated  for  subsequent  j  >  0,  which  contradicts  that 
a  1=  •I't/'P.  □ 

Proposition  2  If  <Po  is  sati.'ifiable  then  player  3  wins  the 
game  G(<Po). 

Proof:  Assume  that  T>o  is  satisfiable.  We  show  that 

player  3  wins  the  game  G(<Po).  The  idea  is  that  3  al¬ 
ways  chooses  a  move  which  preserves  satisfiability  (and 
V  has  to  choose  moves  which  preserve  satisfiability).  If 
r  A  (<Po  V  $i)  is  satisfiable  then  T  A  $,  is  satisfiable  for 
at  least  one  i  G  {0,1},  and  so  player  3  chooses  such 


an  i.  If  the  position  is  [<Pfl'P],r  where  the  until  for¬ 
mula  is  in  focus  then  player  3  adorns  the  interpretation 
of  it  when  it  is  unfolded,  V  ($  A  Ar(<P-,[-(7'P-,r))]i  T 
where  <P.^r  and  'P^r  are  to  be  understood  as  <P  A  /\r 
and  T*  A  ^/\r.  This  adornment,  which  is  justified  by 
Lemma  2.  is  repeated  as  long  as  the  until  formula  is  in  fo¬ 
cus.  Whenever  V  changes  mind,  an  adorned  until  subfor¬ 
mula  'P^fiA ...A^r,,  G'^'J'-riA  .  A^r,,  loses  its  adornment  and 
is  returned  to  its  intended  interpretation  'PC/^.  Now  it  is 
easy  to  see  that  V  can  never  win.  Condition  1  of  the  win¬ 
ning  condition  for  V  can  not  be  reached  because  3  preserves 
satisfiability.  And  condition  2,  the  repeat  position,  cannot 
occur  because  |=  'P^r,  A...A-.r„  G'\P-,r,  A...A-.r'„  “'AT,- 

□ 

Proposition  3  The  comple.xity  of  deciding  the  winner  of 
G(<Po)  is  in  PS  PACE. 

Proof:  Consider  the  tree  of  all  plays  in  G(<P())  where  the 
position  of  the  focus  is  completely  determined  by  the  strat¬ 
egy  described  in  the  proof  of  Proposition  1,  above.  Player 

3  wins  G(<Po)  iff  there  exists  a  path  in  this  tree  such  that  3 

wins  the  play  of  this  path.  An  algorithm  P  can  nondetermin- 
istically  choose  this  path.  The  required  space  is  polynomial 
in  the  size  of  the  input.  P  only  has  to  store  a  counter  and 
two  configurations:  the  actual  one  which  gets  overwritten 
every  time  a  new  game  rule  is  applied,  and  the  one  which  is 
repeated  in  case  3  wins  the  play  with  her  winning  condition 
2  or  3.  The  latter  can  be  chosen  nondeterministically,  too, 
and  gels  deleted  every  time  the  rule  change  is  applied.  The 
counter  is  needed  to  terminate  the  algorithm  if  it  did  not  find 
a  repeat  after  |Sub(<I)o)!  *  conligurations.  Notice 

that  the  size  of  the  counter  also  is  polynomial  in  the  length 
of  the  input  |'I>()|.  Hence  by  SavitclTs  'fheorem  the  problem 
can  be  solved  in  PSPACE.  □ 

4  A  complete  axiomati.sation  for  LTL 

The  game  theoretic  characterisation  of  satisfiability  of¬ 
fers  a  simple  basis  for  extracting  a  com[)lcte  axiom  sys¬ 
tem  for  LTL.  Given  an  axiom  system  A  a  formula  <I>  is  A- 
consistent  if  A  1/  The  axiom  system  A  is  complete 
provided  that  for  any  <I>  if  <I>  is  A-consistent  then  <!>  has  a 
model.  In  this  framework  this  becomes 

(*)  if  <I>  is  A-consistent  then  3  wins  the  game  G(<I>). 

The  axiom  system  A  for  LTL  is  presented  in  Figure  2.  The 
axioms  and  rules  were  developed  with  the  proof  of  (*)  in 
mind.  Axioms  1-6  and  the  rules  MP  and  XGen  provide  “lo¬ 
cal”  justifications  for  the  rules  of  the  focus  game  for  LTL, 
and  axiom  7  and  the  rule  Rel  capture  3’s  winning  strategy. 

Theorem  1  The  a.xiom  system  A  is  s  ound  and  complete  for 
LTL. 
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Axioms 

1 .  any  tautology  instance 

2.  ^  ^  V($  AA:($f/^')) 

3.  ^  A  ($  V  x{^m)) 

4.  X-n$  ^  --X$ 

5.  X$AX'i' A:($a5') 

6.  X($  ^ 'I')  ^  ^ 

7.  ^ 

Rules 

MP  if  h  $  and  h  $  ^  then  h 
XGen  ifh  $thenh 

Rel  if  1-  A  ($  V  X(($  V  $')^(^  V  $')))) 

then  h  ^  i^R^) 

Figure  2.  The  axiom  system  A 

Proof:  Soundness  of  A  is  straightforward.  Each  axiom  is 
valid  and  each  rule  preserves  validity.  The  interesting  case 
is  the  rule  Rel,  whose  soundness  was  proved  in  lemma  2 
of  the  previous  section.  For  completeness  of  A  we  es¬ 
tablish  (*),  if  $0  is  A-consistent  then  3  wins  the  game 
G($o)-  The  proof  is  similar  to  Proposition  2  of  the  pre¬ 
vious  section.  Given  a  finite  A-consistent  set  of  LTL  for¬ 
mulas  we  show  that  any  player  V  move  or  other  move  in 
Figure  1  preserves  A-consistency,  and  that  player  3  can  pre¬ 
serve  A-consistency  when  she  moves.  If  T,  V  $2  is 
A-consistent  then  T,  is  A-consistent  for  some  i  by  ax¬ 
iom  1,  and  the  rule  MP.  Axioms  2  and  3  are  needed  for  the 
fixed  point  unfolding  moves.  Axioms  4-6  and  rule  XGen 
are  required  for  the  next  move.  If  "Fi, . . . ,  is  not  A- 
consistent  then  A  h  A  ...  A  $m-i  — >  “'$m  and  so 
A  f-  A  ...  A  ^  using  XGen  and 

axioms  6,  5  and  one  half  of  4.  Finally  rule  Rel  is  used  to 
capture  3’s  winning  strategy.  If  the  position  is  [$t/$],r 
and  r,  $f/T'  is  A-consistent  then  by  rule  Rel,  the  other  half 
of  axiom  4  and  axiom  7  F,  ^  V  ($  A  is  A- 

consistent.  □ 

In  [7]  soundness  and  completeness  of  the  following  ax¬ 
iom  system  DUX  for  LTL  is  proved  using  maximal  consis¬ 
tent  sets  of  formulas^. 

^A4,  A5  and  U2  as  presented  here  differ  slightly  from  their  original 
form  which  is  due  to  the  different  semantics  of  the  G  and  U  operator  used 
there. 


Al.  ^  ^  ^ 

A2.  4-4 

A3.  X(^>  -4  T-)  -4  (X$  ^ 

A4.  ^  $  AX(ff7?$) 

A5.  f  f  i?($  A  X^)  ^  -4  f  fi?$) 

Ul.  $[/'!'  ^ 

U2.  4-4  ^  V  ($  A  X($t/^)) 

Rl.  any  tautology  instance 
R2.  if  t-  $  and  h  $  ^  then  h 
R3.  if  h  then  F 

Soundness  of  DUX  and  completeness  of  A  ensure  that, 
if  DUX  h  then  A  F  $.  However,  it  is  also  interesting  to 
compare  the  two  axiomatisations  in  details. 

Axioms  and  rules  A2,  A3,  U2,  Rl  and  R2  are  present  in 
A.  A4  is  an  instance  of  axioms  3  and  Ul  simply  reflects  an 
abbreviation.  R3  can  be  simulated  in  A  as  follows.  Suppose 
there  is  a  proof  using  R3.  Then  there  is  a  shorter  proof  of 
in  DUX  for  which  by  hypothesis  there  is  an  A-proof,  too. 
Instantiate  Rel  with  =  tt  and  $  =  ff.  This  proves 
F  if  F  A  Xtt  is  provable.  But  this  can  be  done 

using  the  hypothesis,  axiom  1  and  rule  XGen. 

The  remaining  axioms  Al  and  A5  are  more  complicated 
to  prove  in  A.  A  simple  way  is  to  show  that  V  wins  the  focus 
game  on  the  negations  of  these  axioms.  The  game  rules 
and  winning  conditions  resemble  the  axioms  and  rules  of  A 
which  are  needed  for  the  proof.  We  show  this  for  A5.  The 
negation  of  this  axiom  is  $  A  (f  f  i?(4>  A  X$))  A  (ttf/~'$). 
Let  $'  =  $  A  (ff  F($  A  X$)). 

$,ffF($AX$),[tt[/-'Ll 
X(ffF($  A  X$)),  V 
X^,  X{ifR{^  A  X$)), 
ffF($  A  X$), 

The  game  rules  used  are  the  unfolding  of  R,  the  adorned 
unfolding  of  U,  the  disjunctive  choice  and  the  next  rule. 
Player  V  wins  with  winning  condition  2.  Therefore  the  ax¬ 
ioms  and  rules  needed  to  prove  A5  are  1  and  MP  (for  V), 
2  and  3  (for  the  unfoldings),  4-6,  XGen  (for  next),  7  (to 
reason  about  the  negation  of  A5),  and  Rel  to  describe  the 
winning  condition. 


361 


5  CTL 


In  this  section  we  define  focus  games  for  CTL.  Again  we 
present  CTL  in  positive  form.  Formulas  of  CTL  arc  built 
from  Prop,  the  boolean  connectives  V  and  A,  the  two  unary 
temporal  operators  QX  and  the  four  binary  temporal  op¬ 
erators  Q{. Q{. ../?...)  where  Q  e  {E,  A).  E 
is  the  “some  paths”  quantifier  and  A  is  the  “for  all  path.s” 
quantifier. 

A  Kripke  model  for  CTL  formulas  consists  of  a  set  of 
states  S,  a  binary  transition  relation  R  which  is  total  (for 
all  .s  €  S  there  is  a  f  e  S  such  that  .sRt)  and  a  valuation 
which  assigns  to  each  state  .s  e  S  a  maximal  consistent  set 
of  atomic  formulas  in  Prop.  The  semantics  defines  when 
a  state  s  satisfies  a  formula  s  |=  and  it  appeals  to 
full  paths  from  a  state  sq  which  is  an  w-sequence  of  states 
sqSi  . . .  such  that  s,  R.s',+i  for  each  i  >  0,  In  the  ease  of  q  e 
Prop,  s  1=  q  iff  q  belongs  to  the  valuation  of  s.  The  clauses 
for  the  boolean  connectives  are  as  usual.  The  remaining 
clauses  are  as  follows. 


.S|: 

=  £;a:<I) 

iff 

3L  sRt  and  t  |= 

•S  j: 

=  AA:^> 

iff 

VL  if  sRt  then  t  f= 

<!> 

■So 

h  E{W^) 

iff 

3  full  path  .sqSi  . . . 

3?'  >  0.  s, 

and  V/  '■  0  <  j  <  i 

■  s,  N  ^ 

■So 

iff 

V full  path.s  .sqSi  . . 

.  3i  >  0.  .s 

N'l' 

and  Vj  :  0  <  j  <  i. 

,  s,  N 

■S() 

1=  f:(ci>/?'F) 

iff 

3  full  path  .so’Si  •  •  ■ 

V/  >  0.  .s, 

or  3j  '■  0  <  j  <  i.  f, 

■S() 

1=  A(<I>f/vp) 

iff 

V  full  paths  .so-s’i  . . 

.  Vi  >  0.  s 

or  3j  :  0  <  j  <  i.  s 

3  N‘I> 

The  semantics  of  until  and  release  formulas  arc  determined 
by  their  fixed  point  definitions.  (2(<I>t/'I')  is  the  least  solu¬ 
tion  to  o  =  V  (<I>  A  QXo)  and  Q(<I> /?'!')  is  the  largest 
solution  to  ft  =  A  ($  V  QXa). 

We  now  define  the  focus  game  G'(<[>o)  for  a  CTL  for¬ 
mula  <I>().  As  with  the  LTL  game,  a  position  in  a  play 
of  G'(‘I>o)  is  an  element  [‘I’].r  where  $  £  Sub(<I>o)  and 
r  C  Suh(':I>())  -  {‘I>},  and  a  play  is  a  sequence  of  posi¬ 
tions  PuPi  . . .  P„  where  Pq  is  the  initial  position  [<I>o].  The 
change  in  position  P,  to  P,+i  is  determined  by  one  of  the 
moves  of  Figure  3.  Again  they  are  divided  into  three  groups. 
First  arc  rules  for  3  who  chooses  disjuncts  in  and  out  of 
focus.  Second  are  the  moves  for  player  V  who  chooses 
which  conjunct  remains  in  focus  and  who  also  can  change 
focus  with  the  rule  change.  Player  V  also  chooses  the  next 
state  when  an  AX  formula  is  in  focus,  by  choosing  a  sin¬ 
gle  EX'i>j,  if  there  is  one:  we  include  here  the  case  where 
I  =  0  and  V  docs  not  have  any  choice.  Finally,  there  arc 
the  remaining  moves  which  do  not  involve  any  choices,  and 
so  neither  player  is  responsible  for  them.  These  include  the 
fixed  point  unfolding  of  until  and  release  in  and  out  of  fo¬ 
cus,  the  removal  of  A  out  of  focus  and  the  next  state  rule 


Player  3 


[^0  V  ^il,r  [^],$o  v$i,r 


Player  V 


[^0  A  ^i],r 


[«'],$,  r 


change 


. . . ,  . . .  EX<i'i,qi,  ...,qm 


Other  moves 


v($  A  [/«'))],  r 

[‘F'j.'I' V(<I>AQA'Q($t/^')),r 

[(?(«>/?'!')],  r 

['L  A  (€>VQA'Q(<I> /?'!'))],  r 
[<!>'],  ^  A  («>  V  QA'Q(<F7?'P)),  r 


{^>],  <I)o  A  $1,  F 

^>0,  'i>i,  r 

[EA-^F,]. . . . ,  EX'i,.AXi>i.. . . ,  >71, .  ■  ■ ,  r/„. 


Figure  3.  CTL  Game  moves 


next 


next 
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when  an  EX  formula  is  in  focus.  The  winning  conditions 
for  a  player  are  almost  identical  to  the  LTL  game. 

Definition  1  Player  V  wins  the  play  Pq  , . . . ,  if 

1.  Pn  is  [q],T  and  {q  is  ff  or  -^q  €  F)  or 

2.  P„  is  [Q('FP^)],r  and  for  some  i  <  n  the  position 
Pi  is  [Q(^>!7^)],  r  and  between  Pj . . .  P„  playerV  has 
not  applied  the  rule  change. 

Definition  2  Player  3  wins  the  play  Pq,  . . . ,  P„  if 

1.  Pn  is  [gi], . . . ,  Qn  and  {gi, .  ■  • ,  gn}  is  satisfiable  or 

2.  Pn  is  [Q($PT')],  r  and  for  some  i  <  n  the  position  Pi 
is  [Q($P^)],ror 

3.  P„  is  [$];r  and  for  some  i  <  n  the  position  P,  is 
[$],  r  and  between  P,  . . .  P„  player  V  has  applied  the 
rule  change. 

Facts  1  and  2  of  Section  3  also  hold  for  CTL  games.  A 
main  result  is  again  the  game  characterisation  of  satisfiabil¬ 
ity. 

Proposition  1  3  wins  the  game  G'($o)  iff  satisfiable. 

Proof:  Assume  3  wins  the  game  G'($o)'  The  proof 
is  similar  to  that  of  Proposition  1  of  Section  3,  ex¬ 
cept  that  all  “next”  state  choices  are  examined,  and  so 
we  have  a  tree  of  plays  instead  of  a  single  play.  Let 
. . . ,  be  an  initial  priority  list  of 

all  until  subformulas  of  $o  in  order  of  decreasing  size.  Each 
play  in  the  tree  of  plays  has  its  own  associated  current  prior¬ 
ity  list.  Player  V  starts  with  the  focus  on  'To-  Once  the  focus 
is  on  an  until  formula,  Qi{^iU'it'j),  playerV  keeps  the  fo¬ 
cus  on  it  until  it  is  fulfilled  (player  3  chooses  'I'')  or  there 
is  branching.  At  an  application  of  next  a  play  splits  into  all 
choices,  each  with  its  own  priority  list.  If  the  focus  is  on 
a  formula  AX^i  then  it  will  be  on  $1  in  all  these  plays 
and  they  each  have  the  same  priority  list.  If  the  position  is 
[E'XT'i], ....  EX'^i,  AX^i, ....  AX^n.  qi, ....  g,„  and 
I  is  the  current  priority  list  then  the  focus  remains  on  'Ll  in 
the  play  with  this  subformula  with  list  1.  Otherwise  for  each 
i  >  1  there  is  the  play  where  V  changes  focus  for  the  posi¬ 
tion  '^i,  $1, . . . ,  5>„.  If  T*!  is  then  this  formula 

is  moved  to  the  end  of  the  priority  list  li  and  V  chooses  as 
focus  the  earliest  until  formula  in  present  in  the  position 
EX'^i,  AX^] ,  ■  ■  ■  ■  AX^n,  if  this  is  possible.  This  argu¬ 
ment  is  repeated.  By  assumption  player  3  wins  the  finite 
tree  of  plays.  It  is  now  straightforward  to  read  off  a  Kripke 
model  from  this  tree  of  plays  where  $0  is  true  at  the  initial 
state. 

For  the  converse  assume  that  ^>o  is  satisfiable.  We  show 
that  3  has  a  winning  strategy  for  the  game  G'($o)-  We  use 


the  fact  that  for  each  Q  e  {A,E}  if  $'aQ($[/T')  is  satisfi¬ 
able  then  A(\I'  V  ($  A (5X(5($  A -'$'[/ T'  A -'$')))  is  sat¬ 
isfiable.  So  the  interpretation  of  can  be  adorned 

whenever  it  is  unfolded  in  focus  as  with  Proposition  2  of 
Section  3.  □ 

One  important  difference  with  LTL  is  the  complexity  of 
checking  the  winner  of  a  game  G'(#o).  because  of  branch¬ 
ing  choices  for  V. 

Proposition  2  The  complexity  of  deciding  the  winner  of 
G'($o)  is  in  EXPTIME. 

Proof:  The  proof  is  very  similar  to  that  of  Proposition  3  of 
Section  3.  However,  the  tree  of  all  plays  is  now  an  and-or 
tree  because  of  player  V’s  choices  using  rule  next.  There¬ 
fore  the  polynomial  space  algorithm  deciding  the  winner  of 
G'($o)  is  alternating  instead  of  nondeterministic.  By  [3] 
the  problem  is  therefore  in  EXPTIME.  □ 

6  A  complete  axiomatisation  for  CTL 

The  game  theoretic  characterisation  of  CTL  satisfiabil¬ 
ity  also  allows  one  to  extract  a  sound  and  complete  axiom 
system  for  CTL,  the  system  B  in  Figure  4. 

Theorem  1  The  axiom  system  B  is  sound  and  complete  for 
CTL. 

Proof:  Soundness  of  B  is  straightforward.  The  most  in¬ 
teresting  cases  are  soundness  of  ARel  and  ERel  rules,  and 
in  the  case  of  ERel  the  rule  captures  “limit  closure”.  For 
completeness  of  B,  the  proof  is  similar  to  Theorem  1  of 
Section  4.  If  "To  is  B-consistent  then  player  3  wins  the 
game  G'($o)-  Given  a  finite  B-consistent  set  of  formu¬ 
las,  any  move  by  player  V  or  other  move  in  Figure  1  pre¬ 
serves  B-consistency.  The  important  cases  are  the  next  state 
rules.  Assume  $1, . . . ,  is  not  B-consistent,  and  so 

B  F  4>i  A  . . .  A  j.  So  by  AXGen  and  axioms  9,8 

and  6  B  F  AX^i  A  ...  A  AX^n  — >  -^EX'ilj  (and  using 

7  instead  of  6  one  deals  with  the  case  when  I  =  0).  Finally 

the  ARel  and  ERel  rules  are  used  to  capture  3’s  winning 
strategy.  □ 

In  [5]  soundness  and  completeness  of  the  following  ax¬ 
iom  system  for  CTL  is  proved  using  tableaux. 

Axl.  any  tautology  instance 

Ax2.  EE^  <->  E{ttU^) 

Ax3.  <->  A(tt?7'I') 

Ax4.  EX{^  V  T-)  w  EX^  V  EX<i> 

Ax5.  AX^  ^  -nEX^^ 

Ax6.  ^  -F  V  ($  A  EXE{m<i>)) 
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Axioms 

1 .  any  tautology  instance 

2.  ^  V  ($  A  EXE{i^U^’)) 

3.  A($f/5')  V  (<1)  A  AA'A(<I>f7'I')) 

4.  £($/?«')  -»  A  ($  V  EXE{<bR<l>)) 

5.  A($7?.'I')  ^  A  (cl'  V  AAA (<I> /?'!')) 

6.  AX-A^  ^  -^£A<I> 

7.  AA-I)  ^  -AA<I) 

8.  AA<I>  A  AA^'  AA(<I>  A  >1') 

9.  AA(^>  AA<I>  ->  AAvp 

10.  -A(«P/?vI/)  ^  E{^W-^<1<) 

1 1.  A(-i<i>r/-i'i') 

Rules 

MP  iO  ‘I>  and  t-  <I>  ^  then  A  'I' 

AXGen  if'h  <I>  then  h  AA'‘I> 

ERcl  iff-  4)'  ^  (vp  A  (4)  V  AA£((‘I>  V  4>')/?(4'  V  4>')))) 
then  h  4)'  £'(4>/?4') 

ARel  iff-  4''  ^  (4'  A  (4'  V  AAA((4>  V  4>')/?('P  V  4>')))) 
then  h  4)'  ^  A(4)/?4') 

Figure  4.  The  axiom  system  B 


Ax7.  A(4>[/'P)  ^  4*  V  (4)  A  AAA(4>C/4')) 

Ax8.  EA'ttAAAtt 

Rl.  if  I-  4>  4'  then  h  £;A4>  ->  £A4' 

R2.  if  h  4)'  ^  ^  A  £A$'  then  h  4>'  ->  £'(cP7?4') 

R3.  if  h  4'  A  AA(<P'  V  A(4>/?4')) 
then!-  <P'  A($/?4') 

R4.  if  I-  4>  and  h  4>  — >  4*  then  h  4/ 

The  same  arguments  for  comparing  the  two  LTL  axioma- 
tisations  also  hold  for  the  two  axiomatisations  of  CTL.  Ax  1 , 
Ax5  -  Ax7,  and  R4  are  already  present  in  B.  Ax2  and  Ax3 
are  covered  by  the  abbreviation  of  F.  Ax4  can  be  proved  by 
a  combination  of  6  -  9,  1  and  MP.  1,  AXGen,  7,  MP  and  6 
establish  Ax8.  Rule  RI  is  simulated  using  AXGen,  9,  MP, 
7  and  the  hypothesis  of  having  a  shorter  proof  of  4'  4'  in 

B.  R2  is  simulated  in  the  following  way.  Suppose  there  is  a 
B-proof  of  4>'  — >  4^  A  EA4>'.  Then,  by  4,  1 ,  and  MP  there  is 
also  a  proof  of  <P'  -  4' A  (4>  V  EA£((4>  V  4>')/?(vp  V  4>'))) 
for  any  4>.  Using  ERel  yields  a  proof  of  4>'  — *  £''(4>/?^P). 
Simulating  R3  is  similar. 

7  Conclusion 

We  have  introduced  a  game  theoretic  approach  to  satis¬ 
fiability  checking  of  LTL  and  CTL.  It  remains  to  be  seen 
if  focus  games  extend  to  richer  logics  such  as  CTL*  and 
modal  //-calculus.  In  |121  it  was  shown  that  focus  games 
can  also  be  used  to  solve  the  model  checking  problem  for 
CTL*.  The  game  trees  arising  there  are  very  similar  to  the 
tableau  structures  used  in  [2.  I ).  However,  in  order  to  tackle 
the  problem  of  deciding  whether  lixed  point  constructs  are 
regenerated  or  reproduced  these  authors  pursue  a  different 
strategy.  Take  the  unfolding  of  4>C/ 4/  for  example.  While 
the  locus  highlights  the  case  that  player  3  always  chooses 
the  term  in  which  4>U4'  occurs  again,  a  path  in  the  tableaux 
of  12]  is  successful  if  4'  never  occurs  after  4>[/4'.  The  dif¬ 
ference  seems  to  be  a  point  of  view  only.  In  the  focus  games 
it  is  checked  whether  a  fixed  point  construct  is  regenerated, 
therefore  it  is  never  fullilled.  In  the  tableau  approach  it  is 
checked  whether  it  is  never  fulfilled,  therefore  it  is  regener¬ 
ated. 

In  [  1  ]  the  authors  define  Tableau  Biichi  Automata  which 
are  c.s.sentially  the  same  as  the  tableaux  of  [2].  As  with  the 
focus  games,  this  enables  the  authors  to  handle  the  regener¬ 
ation  problem  of  fixed  points  implicitly.  Instead  of  explic¬ 
itly  requiring  tableaux  to  be  processed  with  a  depth-first- 
search,  the  solution  to  the  regeneration  problem  is  encoded 
in  an  acceptance  condition,  which  is  in  that  case  a  gener¬ 
alised  Buchi  condition.  However,  this  small  difference  is 
the  key  to  the  strengthening  lemma  (Lemma  1  of  Section  3) 
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which  underpins  the  proofs  of  completeness  of  the  axioma- 
tisations. 

A  more  recent  automata  theoretic  approach  to  satisfi¬ 
ability  and  model  checking  employs  alternating  automata 
[16,  11],  Although  these  appear  to  be  very  game  theoretic, 
they  rely  upon  automata  over  trees  which  capture  the  “and” 
branching,  both  in  the  case  of  the  boolean  “and”  and  in 
the  case  for  CTL  of  branching  through  next  states.  In  both 
cases  of  LTL  and  CTL  formulas  are  states  of  the  automata, 
and  transitions  are  determined  by  maximal  consistent  sets 
of  atomic  propositions.  The  acceptance  conditions  decide 
acceptable  fixed  point  regeneration.  It  is  not  clear  if  this  ap¬ 
proach  can  underpin  sound  and  complete  axiomatisations. 
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Abstract 

'Ne  extend  the  Alpeni  and  Schneider  linear  time  char¬ 
acterization  of  safety  and  liveness  properties  to  branching 
time,  where  properties  are  sets  of  trees.  We  define  two  clo¬ 
sure  operators  that  give  rise  to  the  following  four  extremal 
types  of  properties:  universally  .safe,  existentially  safe,  uni¬ 
versally  live,  and  existentially  live.  The  distinction  between 
universal  and  existential  properties  captures  the  difference 
between  the  CTL  path  quantifiers  A  (for  all  paths)  and  E 
(there  is  a  path).  We  show  that  even-  branching  time  prop¬ 
erty  is  the  intersection  of  an  existentially  safe  property  and 
an  existentially  live  property,  a  universally  safe  property 
and  a  universally  live  property,  and  an  existentially  .safe 
properly  and  a  universally  live  property.  We  al.so  e.xaminc 
how  our  closure  operators  behave  on  linear  time  properties. 

We  then  focus  on  sets  of  finitely  branching  trees  and  show 
that  our  closure  operators  agree  on  linear  time  .safety  prop¬ 
erties.  Furthermore,  if  a  set  of  trees  is  given  implicitly  as 
a  Rabin  tree  automaton,  B,  we  show  that  it  is  possible  to 
compute  the  Rabin  automata  corresponding  to  the  closures 
of  the  language  of  B.  This  allows  us  to  effectively  com¬ 
pute  Bsafc  xind  Biivc  such  that  the  language  of  B  is  the  in¬ 
tersection  of  the  languages  of  B safe  of’d  Bii„e.  A.v  above. 
Id  safe  and  Biiar  can  be  chosen  .so  that  their  languages  are 
existentially  safe  and  existentially  live,  univer.sally  safe  and 
universally  live,  or  existentially  .safe  and  universcdly  live. 


1  Introduction 

Pnueli  and  Hard  introduced  the  concept  of  a  reactive 
system,  a  sy.stem  who.se  behavior  is  characterized  by  non- 
termination  and  on-going  interaction  with  an  environment 
over  which  the  system  has  little  control  [14].  Many  safety 
critical  systems,  such  as  on-board  controllers  and  network 
protocols,  can  be  modeled  as  reactive  systems  and,  there¬ 
fore,  the  problem  of  specifying  and  verifying  the  correct 
behavior  of  reactive  systems  has  become  a  very  active  area 


of  research.  Linear  time  properties  of  reactive  systems  have 
been  grouped  into  three  categories  by  Lamport  [19]:  safety 
properties,  liveness  properties,  and  properties  which  are  nei¬ 
ther.  Informally,  safety  properties  assert  that  nothing  bad 
ever  happens  while  livencss  properties  assert  that  something 
good  happens  eventually.  This  distinction  plays  an  impor¬ 
tant  role  in  the  analysis  of  reactive  systems  since  the  proof 
methods  employed  to  check  safety  properties  differ  from 
those  used  to  check  livencss  properties.  For  example,  proofs 
of  livencss  properties  frequently  require  the  construction  of 
well-founded  relations  while  safety  properties  arc  usually 
proven  by  induction  on  the  transition  relation.  Furthermore, 
livencss  properties  often  cannot  be  handled  by  the  auto¬ 
matic  proof  techniques  available  for  safety  properties,  e.g., 
in  some  infinite  state  systems  it  is  possible  to  automatically 
determine  if  a  safety  property  can  be  violated,  whereas  the 
existence  of  a  fair  computation  cannot  be  determined  auto¬ 
matically  ]  1], 

In  the  linear  time  framework,  where  properties  and  the 
semantics  of  programs  arc  sets  of  infinite  strings,  the  dis¬ 
tinction  between  safety  and  livencss  is  well  understood. 
Alpern  and  Schneider  [2]  give  a  topological  characteriza¬ 
tion  in  which  safety  properties  arc  closed  sets  and  live¬ 
ncss  properties  are  dense  sets.  They  also  show  that  every 
linear  time  property  can  be  given  as  the  conjunction  of  a 
livencss  property  and  a  safety  property.  These  results  arc 
well  know  and  now  appear  in  introductory  textbooks  on  dis¬ 
tributed  .systems.  The  topological  characterization  has  been 
extended  by  various  researchers,  e.g.,  Gumm  has  stated  the 
notions  of  safety  and  livencss  in  the  more  abstract  setting  of 
Boolean  algebras  [13]. 

In  the  branching  time  framework  — which  includes  pro¬ 
cess  algebra  and  logics  such  as  CTL  [7]  (which  is  used  by 
many  model  checkers  and  is  of  great  practical  importance), 
CTL*  ]10],  and  the  /r-calculus  [21,  17,  9] — properties  and 
the  .semantics  of  programs  arc  sets  of  infinite  trees.  While 
there  has  been  some  work  on  characterizing  safety  and  livc- 
nc.ss  for  the  branching  time  framework  [6,  18],  we  present 
the  first  characterization  that  distinguishes  between  the  CTL 
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path  quantifiers  A  and  E,  an  essential  distinction.  In  ad¬ 
dition,  we  allow  infinitely  branching  trees;  such  trees  are 
closely  related  to  considerations  of  fairness  [5,  12,  4]  and 
are  useful  for  modeling  input  and  programs  with  statements 
such  as  X  :=?  {i.e.,  non-deterministically  assign  a  numberto 
variable  x).  We  define  two  closure  operators  which  satisfy 
the  conditions  of  Gumm  [13],  Interestingly,  we  show  that 
one  of  the  operators  defines  a  topology  and  the  other  does 
not.  The  closures  give  rise  to  four  extremal  types  of  proper¬ 
ties:  universally  safe,  universally  live,  existentially  safe,  and 
existentially  live.  Universally  safe  properties  are  those  that 
correspond  to  linear  time  safety  properties  over  all  eompu- 
tations  while  existentially  safe  properties  are  those  which 
guarantee  at  least  one  safe  computation.  In  a  similar  man¬ 
ner,  universally  live  and  existentially  live  properties  distin¬ 
guish  between  linear  time  liveness  properties  over  all  and 
over  some  computations.  For  example,  the  CTL  properties 
AGP  — along  every  computation  all  states  satisfy  P —  is  a 
universally  safe  property,  while  EGP  — there  is  a  compu¬ 
tation  along  which  all  states  satisfy  P —  is  an  existentially 
safe  property. 

The  paper  is  organized  as  follows;  in  the  next  section  the 
basic  notations  and  some  preliminaries  are  given.  Section  3 
contains  a  review  of  the  linear  time  results  as  well  as  the 
definitions  of  prefixes  of  trees,  our  closure  operators,  and 
safety  and  liveness  in  branching  time.  Section  3  also  in¬ 
cludes  the  re.sults  regarding  the  decomposition  of  properties 
into  the  extremal  properties  as  well  as  some  examples  taken 
from  Rem  [22].  In  Section  4  we  consider  finitely  branching 
trees  and  show  that  for  any  linear  time  safety  property  h. 
Ah  and  Eh  are  both  universally  safe  and  existentially  safe. 
In  addition,  for  any  linear  time  liveness  property  h,  Ah  is 
universally  live  and  Eh  is  both  universally  live  and  existen¬ 
tially  live.  We  further  specialize  our  results  to  properties 
expressible  as  Rabin  tree  automata  and  show  that  if  a  set  of 
trees  is  given  implicitly  as  a  Rabin  tree  automaton,  B,  it  is 
possible  to  effectively  compute  Bgafe  and  Buye  such  that  the 
language  of  B  is  the  intersection  of  the  languages  of  Bgafe 
and  Biive,  where  Bgafe  and  Bu^e  can  be  chosen  so  that  their 
languages  are  existentially  safe  and  existentially  live,  uni¬ 
versally  safe  and  universally  live,  or  existentially  safe  and 
universally  live.  Finally,  Section  5  contains  a  brief  conclu¬ 
sion  and  comparison  with  other  work. 

2  Preliminaries 

]N  and  u)  both  denote  the  natural  numbers,  i.e., 
{0, 1, . . .}.  [i..j]  denotes  the  set  {A;  G  N  :  i  <  k  <  y}; 
Dom.f  denotes  the  domain  of  function  /.  Function  ap¬ 
plication  is  sometimes  denoted  by  an  infix  dot  and  is 
right  associative.  {Qx  :  r  :  b)  denotes  a  quantified  expres¬ 
sion,  where  Q  is  the  quantifier,  x  the  bound  variable,  r  the 
range  of  x  (true  if  omitted),  and  b  the  body.  P(S')  denotes 


the  powerset  of  S.  For  a  relation  R,  we  write  R\s  for  R 
left-restricted  to  the  set  S,  i.e.,  i?|s  =  {(a,  6)  :  ((a,  6)  G 
R)  A  (a  G  S)}.  S*  denotes  the  set  of  finite  sequences 
over  S;  5“  denotes  the  set  of  infinite  sequences  (functions 
from  Lj)  over  5;  5°°  =  5*  U  5“.  Suppose  s,  <  G  S°°,  #s 
denotes  the  length  of  s  or,  equivalently,  the  cardinality  of 
Dom.s-,  s  is  a  prefix  of  f  (s  t)  iff  Dom.s  C  Dom.t  and 
for  all  i  G  Dom.s,  s.i  =  t.i;  s  is  a  proper  prefix  of  t  (s  -<  t) 
iff  s  t  and  s  t.  A  sclU  C  is  prefix-closed  iff  for 
all  «  G  U  and  for  a\\  t  A  u,  t  G  U. 

From  highest  to  lowest  binding  power,  we  have:  paren¬ 
theses,  function  application,  binary  relations  (e.g.,  sBw), 
equality  (=)  and  membership  (G),  conjunction  (A)  and  dis¬ 
junction  (V),  implication  (=4-),  and  finally,  binary  equiva¬ 
lence  (=).  Spacing  is  used  to  reinforce  binding:  more  space 
indicates  lower  binding. 

Throughout  this  paper  S  denotes  a  fixed  alphabet,  a  non¬ 
empty  set  of  symbols.  An  unlabeled  tree  is  a  prefix-closed 
subset  of  N*.  A  tree  m  is  a  pair  (W,  w)  where  W  is  an 
unlabeled  tree  and  w  ;  W  S.  A  tree  (W,  w)  is  total 
if  W  7^  0  and  for  all  cr  G  W,  there  exists  p  G  W  such 
that  a  <  p.  A  tree  {W,vi)  is  finite-depth  if  there  exists 
n  G  IN’  such  that  for  all  a  G  W,  #cr  <  n.  By  A"*,  and 
Af  we  denote  the  set  of  total,  non^total,  and'  finite-depth 
trees,  respectively.  The  set  of  trees  is  denoted  by  note 

tree.  A  p  C  W  is  a  path  in  t  iff  p  is  a  totally  ordered  (by 
:<),  prefix-closed  subset  of  W.  Given  a  tree  (W,  w)  and  a 
node  0-  G  W  we  define  the  path  a  =  {o'  G  ^  a'  <  a}. 
We  extend  w  to  paths:  given  path  p  =  popi  •  •  •,  w(p)  = 
{w.po)(w.pi)  •  ■  •. 

We  briefly  describe  CTL,  CTL*,  and  LTL  [20]  formulae 
(see  [8]  for  complete  details).  LTL  formula  are  formed  from 
propositions,  boolean  connectives  and  the  temporal  opera¬ 
tors  X  (next  time),  F  (eventually),  G  (always)  and  U  (un¬ 
til).  LTL  formulae  define  sets  of  infinite  strings  of  (sets 
of)  propositions.  CTL*  adds  the  universal  and  existential 
branching  operators  A  and  E  to  the  LTL  syntax.  CTL  is 
formed  similarly  with  the  restriction  that  each  LTL  temporal 
operator  appear  paired  with  its  own  path  quantifier.  CTL* 
and  CTL  formulae  define  sets  of  infinite  depth  trees  labeled 
with  (sets  oO  propositions. 

3  Safety  and  Liveness 

For  the  linear  time  framework,  Alpern  and  Schneider 
define  a  closure  operator  on  and  show  that  it  defines 
a  topology  [2].  Their  closure  operator.  Id  :  'P(S")  -7 
P(S“),  is  defined  as  follows;  Id.T  =  {t  G  11“  :  (Vx  : 
X  ^  t  :  {3t'  G  T  ::  x  A  <'))}•  Properties  are  subsets  of 
S“.  Safety  properties  are  defined  to  be  the  closed  sets  in¬ 
duced  by  Id  and  liveness  properties  are  defined  to  be  the 
dense  sets.  It  is  shown  that  any  property  P  is  the  intersec- 
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tion  of  Icl.P,  a  safety  property,  and  FU-i(/c/.P),  a  liveness 
property.  Gumm  defines  safety  and  liveness  in  the  more  ab¬ 
stract  setting  of  Boolean  algebras  [13].  Given  Bi  and  B2, 
two  V-complete  Boolean  algebras,  and  ip  :  Bi  -y  B2,  a  V- 
preserving  map,  the  closure  a  of  a  €  jBi  is  defined  as  V{a;  € 
Bi  :  if.a  =  <p.x].  For  element  e  £  Bi,  e  is  a  safety  element 
iffe  —  e  and  e  is  a  liveness  element  iff  e  =  1  (1  is  the  unit 
(top)  element  of  Pi).  It  is  proved  that  every  element  of  Bi 
is  the  conjunction  of  a  safety  element  with  a  liveness  cle¬ 
ment.  We  obtain  the  Alpern  Schneider  result  by  setting  Bi 

to  (p(s-),s“,0,u,n,-),  B2  to  (p(s*),E*,0,u,n,-), 
and  ip.T  =  {a;  G  S*  :  (3a  £  T  ::  x  ^  a)}. 

To  define  safety  and  liveness  properties  for  branching 
time,  wc  start  by  defining  what  it  means  to  concatenate  trees 
and  use  this  notion  to  define  what  it  means  for  one  tree  to  be 
a  prefix  of  another.  We  then  define  two  prefix  operators  cor¬ 
responding  to  if  above.  The  closure,  safety  elements,  and 
liveness  elements  are  defined  as  above.  Wc  then  explore  the 
consequences  and  show  that  our  characterization  captures 
the  intuitive  notions  of  safety  and  livcncss  in  the  branching 
time  framework. 

3.1  A  Partial  Order  for  Trees 

Given  trees  w  and  x,  wc  define  a  preliminary  notion  of 
tree  concatenation,  denoted  w  ■  x. 

Definition!  Let  xu  =  (W,  w)  and  x  =  (X.x)  he  trees, 
w  ■  x  =  (W  U  X,  w  U  (x|x\w))- 

Note  that  w  ■  x  is  a  tree  and  that  this  notion  of  concate¬ 
nation  amounts  to  superimposing  x  on  u<.  Unfortunately, 
the  above  notion  of  concatenation  turns  out  not  to  be  what 
wc  need.  The  problem  is  that  it  allows  us  to  extend  w  at 
non-leaf  nodes.  Below,  wc  define  what  it  means  to  be  a  leaf 
and  then  introduce  the  notion  of  concatenation  wc  require, 
where  w  concatenated  with  x  is  denoted  by  wx. 

Definition  2  Let  w  =  {VM jw)  be  a  tree.  leaf(z,w)  = 
z  eW  A  -.(3y  gVJ  ::  z  ^  y). 

Definition  3  Let  w  =  (W,  w)  and  x  =  (X,  x)  he  trees.  Let 
X'  =  {i/£X:y£W  V  (3z  :  leaf{z,w)  :  z  -<  y)}.  Let 
x'  =  (X',x|x').  VJX  =  w  ■  x' . 

Note  that  wx  is  a  tree;  the  proof  amounts  to  showing  that 
x'  is  a  tree.  We  now  define  what  it  means  for  one  tree  to  be 
a  prefix  of  another. 

Definition  4  a:  C  y  =  (Bz  ::  xz  =  y) 

Notice  that  when  restricted  to  sequences,  C  agrees  with 
the  usual  notion  of  prefix. 

Lemma  1  a:  C  y  =>  wx  C  wy 


Lemma  2  C  is  a  partial  order. 

Note  that,  due  to  space  restrictions,  some  of  the  proofs 
are  omitted. 

Elements  of  are  the  branching  time  prop¬ 
erties.  Note  that  A*"*,  0,  U,  n, -1)  and 

0,tj,  n,  -1)  are  Boolean  algebras. 

3.2  Prefixes  and  Closures 

We  define  the  non-total  and  finite-depth  prefix  operators, 
npref  and  fpref,  functions  from  to  'P{A'^'‘),  as 

follows. 

Definition  5  npref  .p  =  {a:  £  ;  (3y  £  p  ::  a:  C  y)} 

Definition  6  fpref  .p  =  {x  G  A^  :  (3y  £  p  ::xC  y)} 

The  prefix  operators  correspond  to  ip,  the  V-preserving 
map  described  above.  The  induced  closure  functions,  from 

Definition  7  ncl.p  =  U{(7  C  A'"'  :  npref  .q  =  npref  .p} 

Definition  8  fcl.p  =  Ujg  C  A'"^  :  fpref  .q  =  fpref  .p} 

The  closure  functions  have  the  I'ollowing  properties. 

Lemma  3  ncl.p  =  {  y  £  A'"'  :  (Vj  G  A"'  :  x  Q  y  :  x  E. 
npref  .p)  } 

Lemma  4  fcl.p  =  {  y  £  ,-1'"'  :  (V.r  £  A-^  :  :r  C  y  :  x  £ 
fpref. p)  } 

After  expanding  the  lielinitions  ol'the  prefix  operators  in 
the  above  two  lemmas,  notice  that  the  characterizations  of 
ncl  and  fcl  arc  very  similar  to  the  definition  ol'  Icl. 

Lemma  5  p  C  ncl.p  and  p  C  fcl.p 

Lemma  6  ncl.  ncl.p  =  ncl.p  and  fcl.  fcl.p  ~  fcl.p 

3.3  Safety 

Wc  say  that  a  property  is  a  safety  property  if  the  property 
is  equal  to  its  closure.  Since  wc  have  two  types  of  closures, 
we  have  two  types  of  safety  properties:  existentially  safe 
(ES)  and  universally  safe  {US).  The  intuition  is  that  the 
existentially  safe  properties  guarantee  at  least  one  compu¬ 
tation  along  which  nothing  bad  happens.  The  universally 
safe  properties  guarantee  that  nothing  bad  happens  during 
any  computation.  This  type  of  distinction  is  made  with  the 
CTL  operators  E,  which  existentially  quantifies  over  paths, 
and  A,  which  universally  quantifies  over  paths.  In  the  se¬ 
quel,  wc  implicitly  extend  functions  on  sets  to  functions  on 
formulae,  be  applying  the  functions  to  the  sets  of  trees  or 
strings  w'hich  the  formulae  define. 
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Definition  9  (Existentially  Safe)  p  £  ES  =  p  =  ncl.p 
Definition  10  (Universally  Safe)  p  E  US  =  p  =  fcl.p 
Lemma  7  ncl.p  C  fcl.p 

Proof  The  domain  of  the  quantifier  in  the  definition  of  fcl, 
A^,  is  a  subset  of  yl"*,  the  domain  of  the  quantifier  in  the 
definition  of  ncl.  □ 

Lemma  S  p  E  US  =>  p  E  ES 

Proof  p  E  US  =  p  —  fcl.p,  but  p  C  ncl.p  and 
ncl.p  C  fcl.p,  so  p  =  ncl.p,  i.e.,  p  E  ES.  □ 


3.4  Liveness 

We  will  now  define  what  it  means  for  a  property  to  be  a 
liveness  property.  A  liveness  property  is  one  whose  closure 
is  the  set  of  all  trees.  Given  our  two  notions  of  closure,  we 
have  two  notions  of  liveness. 

Definition  11  (Existentially  Live)  p  E  EL  =  ncl.p  = 

^tot 


Definition  12  (Universally  Live)  p  E  UL  =  fcl.p  = 

^tot 

Lemma  13  p  E  EL  p  E  UL 

Proofp  G  EL  =  ncl.p  =  but  since  ncl.p  C  fcl.p, 
fcl.p  —  A^°^,  i.e.,p  E  UL  O 


Lemma  9  ncl. fcl.p  =  fcl.p 

Proof  fcl.p  C  ncl.  fcl.p  C  fcl. fcl.p  =  fcl.p  □ 

We  note  that  fcl. ncl.p  =  ncl.p  does  not  hold,  for  exam¬ 
ple,  when  p  =  EGa  (there  exists  a  path  such  that  every  node 
in  the  path  is  labeled  by  an  a),  we  will  see  that  ncl.p  =  p, 
but  fcl.p  ^  p. 

Lemma  10  p  C  g  =>  ncl.p  C  ncl.q  A  fcl.p  C  fcl.q 

Recall  that  an  operator  c  :  ■P(X)  ->•  P{X)  defines  a 
topology  on  X  with  closed  sets  {a  C  A  :  c.a  =  a}  iff  the 
following  four  conditions  hold  [15]: 

•  c.il)  =  9 

•  a  C  c.a 

•  c.c.a  =  c.a 

•  c{a  Ub)  =  c.a  U  c.b 

Therefore,  the  following  lemma  shows  that  fcl  defines  a 
topology. 

Lemma  11  fcl.pU  fcl.q  =  fcl.{p{Jq) 

Since  ncl. (pU  q)  C  ncfp  U  ncLg  is  not  a  theorem,  nc/ 
does  not  define  a  topology.  This  does  not  cause  us  any  tech¬ 
nical  difficulties,  but  it  is  interesting  because  Id,  the  closure 
operator  in  the  linear  time  case,  does  define  a  topology.  We 
have  the  following,  however. 

Lemma  12  ncl. pU  ncl.q  C  ncl.{pLlq) 


Lemma 

14 

US  fiUL  = 

:  {A*°^} 

Proof  p 

€ 

( US  n  UL) 

=  p  = 

fcl.p 

A 

fcl.p  = 

J^tot  - 

= 

p  =  A^°^  □ 

Lemma 

15 

ESDEL  = 

{  } 

Lemma 

16 

USnEL  = 

{  } 

Proof  p 

£ 

( US  n  EL) 

=  p  = 

fcl.p 

A 

ncl.p  = 

J^tot  — 

p  =  ncl.p  A 

ncl.p  = 

= 

p  = 

Atoi  □ 

Note 

that  ES  n  UL 

=  {  A*”*  } 

does  not  hold,  e.g.. 

(AFo  means  along  all  futures  a  eventually  holds)  let  p  = 
ncl. Af a,  then  p  =  ncl.p  and  fcl.p  =  A^°^,  but  p  A^°^. 

On  account  of  Lemma  10,  we  have  the  following  two 
properties: . 

Lemma  17  p  C  q  A  p  E  EL  q  E  EL 
Lemma  IS  p  C  q  A  p  E  UL  =>  q  E  UL 
Lemma  19  (pU  -tncl.p)  E  EL 

Proof  ncl.(p  U  ->ncl.p)  D  ncl.p  U  ncl .(-^ncl .p)  D 
ncl.p  Li  ^ncl.p  =  A^°^  □ 


Lemma  20  (p  U  -^fcl.p)  E  UL 

Theorem  1  Every  property  is  the  intersection  of:  (1)  an  ex¬ 
istentially  safe  and  an  existentially  live  property,  (2)  a  uni¬ 
versally  safe  and  a  universally  live  property’,  and  (3)  an  ex¬ 
istentially  safe  and  a  universally  live  property. 
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Proof  (1).  ncl.p  E  ES  and  (p  U  -<ncl.p)  G  EE,  their 
intersection  yields  nc/.pn  (pU -^nc/.p)  =  ncl.pOp  —  p. 
(2).  fcl.p  e  US  and  (p  U  -'fcl.p)  6  UE,  their  intersec¬ 
tion  yields  fcl.p  H  (p  U  -'fcl.p)  =  fcl.p  f)  p  =  p.  (3). 
ncl.p  e  ES  and  (pU-i/c/.p)  G  UE,  their  intersection  yields 
ncl.p  n  (p  U  -'fcl.p)  =  {ncl.p  fl  p)  U  {ncl.p  D  -<fcl.p)  = 
p  U  {ncl.p  n  -‘fcl.p)  =  p,  since  ncl.p  C  fcl.p.  □ 

The  next  theorem  shows  that  certain  properties  do  not 
correspond  to  the  intersection  of  a  universally  safe  and  an 
existentially  live  property. 

Theorem  2  [16]  Let  Q  be  a  subset  of  such  that 
fcl.Q  —  and  ncl.Q  Af°^.  There  do  not  exists 
sets  S,L  C  A^°*'  such  that  fcl.S  =  S,  ncl.L  —  A*^°* ,  and 
5nL  =  Q. 

Proof  Suppo.se  S  fl  L  =  Q,  fcl.S  =  S,  and  ncl.L  =  A^^' , 
then  Q  C  S,  which  gives  A*°^  =  fcl.Q  C  fcl.S  and  hence 
S  =  A*°K  Since  Q  =  5  fi  L,  then  L  =  Q  which  implies 
that  nc/.Q  =  □ 

We  will  sec  shortly  that  the  set  of  trees  satisfying  the 
CTL  formula  AFp  satisfies  the  preconditions  on  the  previ¬ 
ous  theorem. 

Our  decomposition  of  a  property  into  a  .safety  property 
and  a  liveness  property  is  extreme  in  the  following  sense. 

Lemma  21  lf{q  G  ES  V  g  G  US)  and  p  =  (gOr),  then 
ncl.p  C  q  and  r  C  (p  U  ^ncl.p). 

Proof  For  the  first  part  note  that  p  =  (g  fl  r)  =>  p  C 
g  ncl.p  C  ncl.q  A  ncl.q  C  fcl.q  ncl.p  C  g, 

as  by  assumption  g  =  ncl.q  V  g  =  fcl.q. 

For  the  other  part,  we  have  (g  n  r)  =  p,  which  by 
ncl.p  C  g  (the  first  part)  implies  {ncl.p  fl  r)  C  p,  which, 
if  we  union  -'ncl.p  to  both  sides  and  simplify  the  left, 
implies  {-^ncl.p  Ur)  C  (p  U  -'ncl.p).  which  implies 
r  C  (p  U  ^ncl.p)  □ 


Theorem  3  Let  h  he  an  LTL  formula  which  is  a  .safety  prop¬ 
erty,  then  fcl.Ah  =  ncl.Ah  =  Ah  and  ncl.Eh  =  Eh. 

Proof  Suppose  t  G  A^"^,  t  =  {T,t),  t  G  fcl.Ah,  and  t  ^ 
Ah.  Then  there  is  some  path  a;  in  ^  such  that  t{x)  0  h. 
Since  h  is  a  safety  property,  Icl.h  =  h,  this  implies  that  for 
some  i  G  N,  r{xo  ■  ■  ■  xf)  cannot  be  extended  to  a  string  in 
h.  Hence  for  any  u  E  A^  such  that  u  C  t  and  includes 
xq  ■  ■  ■  Xi,  u  cannot  be  extended  into  a  tree  v  such  that  v  E 
Ah.  Hence  there  is  no  such  t  and  fcl.Ah  =  Ah.  We  also 
have  Ah  C  ncl.Ah  C  fcl.Ah  =  Ah,  so  ncl.Ah  =  Ah. 

Suppose  t  G  A^°f  t  =  (T,  r),  and  t  E  ncl.Eh  and 
t  ^  Eh.  Since  t  ^  Eh  then  for  no  full  path,  y,  in  t  is 


T{y)  E  h.  Let  a;  be  a  path  whose  prefix  r(a;o  ■  --Xi)  cannot 
be  extended  to  a  string  in  h.  Let  u  E  A^*-  be  the  tree 
obtained  from  t  by  making  Xi  a  leaf  {i.e.,  removing  all 
its  descendants).  Then  u  cannot  be  extended  into  a  tree 
V  such  that  v  E  Eh  and  hence  t  ^  ncl.Eh.  Therefore 
ncl.Eh  =  Eh.  □ 

The  following  property  shows  that  fcl  is  not  an  appropri¬ 
ate  closure  operator  for  existentially  quantified  safety  prop¬ 
erties  of  paths.  That  is,  a  safety  property  to  which  existential 
quantification  is  added  is  not  necessarily  closed  under  fcl. 

Lemma  22  fcl.EGP  EGP 

Proof  Consider  a  total  tree  whose  root  has  an  infinite 
number  of  children,  but  every  other  node  has  exactly  one 
child.  Furthermore,  the  path  through  the  first  child  is 
labeled  by  a(->a)‘^.  The  path  through  the  second  child  is 
labeled  by  aa{^a)'^  and  so  on.  No  path  in  the  tree  satisfies 
Go,  so  the  tree  is  not  in  EGo,  but  any  finite  depth  prefix  of 
the  tree  can  be  extended  to  a  tree  in  EGo.  □ 


Theorem  4  Let  h  he  an  LTL  formula  which  is  a  liveness 
property,  then  fcl.Ah  =  A*°^  and  ncl.Eh  =  fcl.Eh  =  A*'°^. 

Proof  h  is  a  livcncss  property  implies  that  Icl.h  =  {cr  G 

Let  t  G  A^°',  t  =  {T,  t),  and  u  C  t  such  that  u  E  A^ . 
Consider  any  full  path  x  in  u.  t{x)  is  a  prefix  of  some 
<7  G  Icl.h.  hence,  x  can  be  extended  to  a  path  y  such  that 
r(t/)  G  h.  Therefore  u  G  fcl.Ah.  Hcncc  fcl.Ah  = 

Let  t  E  A^°*,  t  =  {T,  t),  and  u  U  t,  such  that  u  E  A^*. 
If  rr  contains  a  path  a  such  that  7(0)  G  h  then  t  E  ncl.Eh. 
El.se.  consider  any  full  finite  path  x  in  u.  As  in  the  first 
proof  above,  x  can  be  extended  to  an  infinite  path  y  E  h 
and  hence  t  E  ncl.Eh.  Therefore  ncl.Eh  =  A*”*.  We  also 
have  A*”*  —  ncl.Eh  C  fcl.Eh,  hence,  fcl.Eh  =  □ 

The  following  property  shows  that  ncl  is  not  an  appropri¬ 
ate  closure  operator  for  universally  quantified  liveness  prop¬ 
erties  of  paths.  That  is,  given  a  livencss  property  of  paths, 
adding  universal  quantification  and  taking  the  ncl  closure 
docs  not  necessarily  result  in  the  set  of  all  trees. 

Lemma  23  ncl. AFP  -f 

3.5  Examples 

We  now  take  a  moment  to  consider  the  ramifications  of 
our  approach  by  comparison  with  Martin  Rem’s  [22]  exam¬ 
ple  properties,  listed  below.  Rem’s  examples  are  formulated 
as  predicates  on  t,  an  infinite  (S)  sequence. 
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pO:  false  (corresponds  to  0); 
pi:  the  first  symbol  of  t  is  a; 
p2:  the  first  symbol  of  t  differs  from  a; 
p3:  the  first  symbol  of  t  is  a,  and  t  contains  a 
symbol  that  differs  from  a; 
p4:  the  number  of  a’s  in  t  is  finite; 
p5:  the  number  of  a’s  in  t  is  infinite; 
p6:  true  (corresponds  to  E*^). 

If  we  are  dealing  with  sequences,  pO,  pi,  p2,  and  p6  are 
safety  properties.  The  (linear)  closure  of  p3  is  pi,  so  p3  is 
not  a  safety  property.  The  closures  of  p4  and  p5  are  both 
S“;  so  they  are  not  safety  properties,  but  they  are  liveness 
properties. 

Note  that  if  we  restrict  t  to  infinite  sequences,  then  both 
fcl  and  ncl  agree  with  Id.  In  order  to  examine  the  above 
properties  in  a  branching  time  framework,  we  will  write 
them  down  in  LTL  [20]  and  CTL*.  Note  that  in  translating 
the  above  examples  to  properties  over  trees  there  is  some 
ambiguity.  In  particular,  we  have  translated  p4  into  both 
qia  and  q4b  and  in  fact  neither  of  these  translations  eap- 
tures  the  notion  that  there  are  only  a  finite  number  of  a’s  in 
a  tree  but  rather  that  there  are  a  finite  number  of  a’s  on  a 
path  (on  all  paths)  in  the  tree. 


qO: 

false 

false  (corresponds  to  0); 

ql: 

a 

a; 

q2: 

-<a 

-la; 

q3a: 

a  A  F-ia 

A(a  A  F“ia)  =  a  A  AF-^a  ; 

q3b: 

E(a  A  F-ia)  =  a  A  EF-ia  ; 

q4a: 

FG  “la 

A(FG  “la): 

q4b: 

E(FG  -a); 

qba: 

GFa 

A(GFa); 

q5b: 

E(GFa); 

q6: 

true 

true  (corresponds  to  A‘°*). 

Below 

we  give  an 

informal  translation  of  the  above 

CTL*  sentences,  ql  is  true  of  any  tree  whose  root  is  labeled 
with  a;  similarly  for  q2.  q3a  is  true  of  the  trees  whose  root 
is  labeled  with  a  and  along  each  path  have  a  node  labeled 
with  -la.  q3b  is  true  of  the  trees  whose  root  is  labeled  with 
a  and  along  some  path  have  a  node  labeled  with  -la.  q4a  is 
true  of  the  trees  where  along  each  path,  eventually  all  nodes 
are  labeled  with  -^a.  <746  is  true  of  the  trees  where  along 
some  path,  eventually  all  nodes  are  labeled  with  ->a.  q5a 
is  true  of  the  trees  where  along  each  path,  infinitely  many 
nodes  are  labeled  with  a.  q5b  is  true  of  the  trees  where  along 
some  path,  infinitely  many  nodes  are  labeled  with  a. 

It  is  not  difficult  to  show  that  qO,  ql,  q2,  and  g6  are  uni¬ 
versally  safe  (and  hence  existentially  safe). 

fd.qSa  =  ql,  as  before,  but  nd.qSa  ^  ql  (consider 
a  tree  that  has  at  least  two  paths  such  that  along  one  of  the 
paths  a  always  holds;  this  tree  is  not  in  nd.qZa).  nd.qSa  7^ 
q3a  (trees  can  be  sequences,  so  {p  :  p  G  S“}  C  nd.qSa). 
nd.qib  =  ql  and  fd.qSb  =  ql. 

fd.q4a  =  as  before,  but  nd.q4a  ^  (consider 


a  tree  that  has  at  least  two  paths  such  that  along  one  of  the 
paths  a  always  holds;  this  tree  is  not  in  nd.q4a).  nd.q4a  ^ 
q4a  (trees  can  be  sequences,  so  {p  :  p  £  S“}  C  nd.q4a). 
nd.q4b  =  A^°\  so  fd.q4b  =  A^°K 

fd.qba  =  as  before,  but  nd.qba  7^  (con¬ 
sider  a  tree  that  has  at  least  two  paths  such  that  along  one 
of  the  paths  -la  always  holds;  this  tree  is  not  in  nd.qba). 
nd.qba  7^  p5a  (trees  can  be  sequences,  so  {p  :  p  €  S‘^}  C 
nd.q5a).  nd.q5b  =  A*°*,  so  fd.qSb  =  A^°*'. 

4  Finite  Branching  Trees 

In  the  previous  sections  we  studied  sets  of  trees  that  in¬ 
cluded  infinitely  branching  trees.  However,  many  systems 
do  not  have  such  trees  and  it  is  interesting  to  see  what  bene¬ 
fits  are  obtainable  when  considering  only  bounded  branch¬ 
ing  structures. 

Let  A:  G  N.  A  tree  (W,  w)  is  a  fc-branching  tree  iff  for 
all  a  G  W  there  exists  exactly  k  unique  elements  of  N, 
ao, . . .  .a/t-i,  such  that  aao, ...,  aai_i  G  W.  In  what 
follows  we  consider  sets  of  trees  which  are  Ic-branching. 
By  A*’’*'’*  and  A^’-^  we  denote,  respectively,  the  set  of  k- 
branching  trees  and  the  set  of  finite  trees  whose  non-leaf 
nodes  have  exactly  k  successors.  We  carry  over  the  defini¬ 
tions  of  nd  and  fd  from  the  previous  sections,  restricted 
now  to  /c-branching  trees  over  finite  alphabets.  Below  we 
show  that  nd  and  fd  agree  on  linear  time  safety  properties 
(recall  that  nd.p  C  fd.p). 

Theorem  5  Suppose  h  is  a  safely  property  over  E‘^  then 
fd.Eh  =  nd.Eh  =  Eh  and  fd.Ah  =  nd.Ah  —  Ah. 

Proof  We  have  that  Eh  C  fd.Eh.  So  suppose  t  =  (T,  t)  G 
fd.Eh,  this  means  that  for  all  u  G  A^’^ ,  u  C  f  implies  there 
is  a  f'  G  such  that  it  C  f'  and  t'  G  Eh. 

We  will  show  that  t  contains  a  path  p  such  that  r(p)  |=  h. 
Consider  the  tree  v  =  {V,  f)  G  defined  as  follows: 
P  =  {a  G  T  :  (3p  G  E"^  ::  T{a)y  \=  h)}  and  cp.a  =  r.a. 
V  has  an  infinite  number  of  nodes  as  any  prefix  of  t  can 
be  extended  to  a  tree  in  Eh.  V  is  also  finitely  branching, 
thus,  by  Konig’s  lemma,  has  an  infinite  path.  For  any  such 
infinite  path  p,  t{p)  |=  h  because  h  \s  a  safety  property. 
Since  v  iZ  t,  p  is  a  path  in  T,  hence,  t  G  Eh. 

The  rest  of  the  proof  is  along  the  lines  of  the  proof  of 
Theorem  3.  □ 

For  linear  time  liveness  properties,  however,  fd  and  nd 
do  not  agree,  e.g.,  fd.AEP  =  whereas  nd.AfP  7^ 

j^k.tot  (jp  j^gyg  j|.jg  following. 

Lemma  24  Suppose  h  is  a  liveness  property  over  E“  then 
fd.Eh  =  nd.Eh  =  andfd.Ah  = 
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The  close  relationship  between  properties  of  programs 
and  automata  has  been  well  documented  [24,  8].  In  partic¬ 
ular,  given  a  finite  state  Biichi  automaton,  B,  over  infinite 
strings  (recall  that  Biichi  automata  recognize  regular  lan¬ 
guages  of  w-strings),  it  is  possible  to  decompose  B  into  au¬ 
tomata  Bs  and  Bl  such  that  the  set  of  strings  accepted  by 
Bs  is  a  safety  property  and  the  set  of  strings  accepted  by  Bl 
is  a  liveness  property  [3],  Furthermore,  the  set  of  strings  ac¬ 
cepted  by  B  is  equal  to  the  intersection  of  the  set  of  strings 
accepted  by  Bs  and  Bl-  We  show  that  a  similar  result  for 
Rabin  tree  automata  is  possible  to  achieve  (recall  that  Rabin 
automata  recognize  regular  languages  of  w-trees).  That  is, 
we  show  that  any  set  of  trees  recognizable  by  a  Rabin  tree 
automaton  is  decomposable  into  the  intersection  of:  a  uni¬ 
versally  safe  set  and  a  universally  live  set,  an  existentially 
safe  set  and  an  existentially  live  set,  and  an  existentially  safe 
set  and  a  universally  live  set,  all  of  which  are  Rabin  tree  au¬ 
tomata  definable. 

A  Rabin  tree  automaton  B  =  {'E,Q,qo,S,^)  on  A--ary 
infinite  trees  is  defined  as  follows:  E  is  a  finite  alphabet, 
Q  is  a  finite  set  of  states,  qo  G  Q  is  the  start  state,  S  : 
Q  X  S  — >  V{Q^)  is  the  transition  relation,  and  $  is  the 
accepting  condition. 

Let  t  =  (W,  w)  S  J.JJP  ^  i  is  a  Q 

labeled  tree  r  =  (W,p)  €  such  that  p.X  =  q^ 

and  for  all  a  G  W  and  successors  aa^, . . .  ,crai,--i  €  W, 
(/9.(TQ,o, . . .  G  5{p.<j,w.a).  Run  r  is  accepting 

iff  for  all  infinite  paths  p  in  W,  p{p)  [=  ‘I'.  C(B)  =  {^  6 
jj.  accepting  run  of  B  on  t}  is  the  laneuaizc 

ofS. 

The  accepting  condition,  is  given  by  specifying  pairs 
of  sets  (green  j,  red  i)  G  {'P{Q))~  fori  G  [0..m],  for  .some 
m.  $  holds  on  a  path  if  for  some  i,  some  green  state  is  vis¬ 
ited  infinitely  often  and  all  red  states  arc  visited  finitely  of¬ 
ten, /.c.,  $  •■/»]  A  (A;.c  FG“'r)]. 

For  notational  convenience,  given  a  Rabin  automaton 
B  =  (S,  Q,  (7(),  5,  $)  we  will  refer  to  B{q),  g  G  Q.  as 
the  automaton  given  by  (E,  Q,  g,  5,  $).  Given  automaton 
B  =  (E,  Q,  go,  (5,  $)  such  that  C.B  ^  0,  note  that  C.B  = 
£.(E,Q',go,5','I')  where  Q'  =  {g  e  Q  :  C(B{q))  /  0} 
and  5'  is  5  restricted  to  Q' .  Wc  define  the  finite  depth 
closure,  rfcl,  of  an  automaton  as  follows:  if  C.B  =  0, 
rfcl.B  =  B\  othcrwi.se,  rfcl.B  =  (E,  Q',  go,  5',  $')  where 

=  VqgQ'GFg  is  a  condition  that  holds  along  all  paths 
and  is  generated  from  {(Q',  0)}. 

Lemma  25  C{rfcl.B)  =  fcl.C{B). 

Proof  If  =  0,  then  C(rfcl.B)  =  fcl(C.B)  =  0,  so  wc 
assume  £  ^  0. 

Suppose  t  =  (Wjw)  G  C(rfcl.B)  then  there  is  an  ac¬ 
cepting  run  r  =  (W,p}  of  rfcl.B  on  t.  Consider  any 
u  =  (U,  v)  G  such  that  u  C  t;  r'  =  (U,  p|u)  is  a  par¬ 
tial  run  of  rfcl.B  on  u.  By  the  construction  of  rfcl.B,  each 


leaf  node  u  G  U  of  r'  is  labeled  by  a  node  p.cr  G  Q'.  This 
means,  however,  that  C.B{p.a)  ^  0  and  therefore  that  each 
leaf  node  is  extendible  into  some  tree  which  is  accepted  by 
the  automaton  node  labeling  the  leaf.  This  implies  that  for 
.some  tree  t'  G  C.B,  uCt'  and  hence  t  G  fcl{C.B). 

Suppose  t  G  fcl(C.B),  then  for  all  £  C  t,  where  £ 
denotes  the  subtree  of  t  up  to  level  i,  there  exists  Ui  such 
that  £  C  Ui  and  u,  G  C.B,  hence,  there  exists  run  r; 
of  B  on  Ui.  We  now  define  a  run,  r,  of  rfcl.B  on  t.  r‘, 
the  subtree  of  r  up  to  level  i,  is  defined  recursively  as 
follows.  For  the  base  case,  labels  the  root  by  go  and 
Ro  =  u).  For  the  recursive  case,  choose  so  that 
for  infinitely  many  j  G  R,,rj  labels  £+^  by  r’+'  and 
Ri+i  =  Ri\  {j  G  Ri  :  7^  r*+'}.  Note  that  for  all 

i,  R,  is  an  infinite  set  such  that  for  all  j  G  Ri,rj  =  r\ 
This  is  true  for  Rq  as  all  runs  label  the  root  go.  Assuming 
it  is  true  for  7?,,  then  by  definition,  if  contains  j. 
Since  the  number  of  possible  labelings 
of  is  finite,  by  the  pigeon-hole  principle,  an  infinite 
subset  of  Ri  indexes  runs  that  assign  the  same  labeling  to 
£.  Since  the  acceptance  condition  for  rfcl.B  is  trivially 
satisfied,  we  have  show  that  r  is  a  run  of  rfcl.B  on  t.  □ 

The  consequence  of  this  is  the  following: 

Theorem  6  For  any  Rabin  tree  antonuiton.  B.  there  e.xi.st 
effectively  derivable  Rabin  automata  B.,i„f,  anti  Bn,,,,  .such 
that  C.B  =  C.Bs„f,  n  C.Biii,,  anti  C.B.,,,/,  A'  iiniver.salty 
safe  while  C.Bi,,.,  is  iiniverstilly  live. 

Proof  Recall  that  non-ctiiptiness  ol’  Rabin  tree  autotnata  is 
decidable  and  Rabin  automata  are  effectively  closed  under 
complementation  ami  union  [24],  Thus,  =  rfcl.B 

and  Bii,,,  =  B  \J  (A*'-'"'  \  rfcl.B)  can  be  effectively 
derived  Irom  B.  That  i?.,,,/,.  is  safe  follows  from  the 
above  lemma  and  £?/„,,  is  live  because  for  any  property  P, 
PU  (A*-'"' \  r/c/.P)  is  live.  □ 

Similarly,  it  is  possible  to  define  the  non-total  closure  of 
a  Rabin  autotnaton.  which  gives  rise  to  the  following  theo¬ 
rem. 

Theorem  7  Ftir  any  Rabin  tree  anttmtaton,  B.  there  e.xi.st 
effectively  derivable  Rabin  automata  B„„p.  and  P;,,,,,  such 
that  C.B  =  C.Bs„f,  n  C.Biii,,,  and  C.B,.,,,/,.  is  e.xistentially 
safe  (e.xistentially  safe)  while  C.Bn,„-  is  e.xistentially  live 
(universally  live). 

5  Conclusion 

We  have  given  a  computation-tree  based  semantic  char¬ 
acterization  of  the  intuitive  notions  of  safety  and  livcncss. 
Our  characterizations  arc  given  in  terms  of  the  closures  of 
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sets  of  trees  in  a  manner  analogous  to  Gumm’s  [  1 3]  general¬ 
ization  of  the  work  of  Alpern  and  Schneider  for  linear  time 

[2].  In  fact,  our  results  when  restricted  to  sets  of  strings  are 
identical  since  in  that  case  ncl.p  =  fcl.p  =  Icl.p.  Our  ap¬ 
proach  and  examples  draw  heavily  on  Rem’s  very  readable 
presentation  [22]  of  the  Alpern  and  Schneider  results. 

Decomposing  branching  time  properties  into  four  ex¬ 
tremal  classes,  viz-,  universally  safe,  universally  live,  ex¬ 
istentially  safe,  and  existentially  live,  has  allowed  a  charac¬ 
terization  of  safety  and  liveness  properties  which  respects 
the  branching  time  temporal  operators  A  and  E  of  CTL.  In 
contrast,  the  work  of  Bouajjani  et  al.  [6]  is  restricted  to 
the  regular  trees’  and  does  not  distinguish  between  existen¬ 
tially  and  universally  safe.  They  consider  only  a  single  clo¬ 
sure  operator  and  choosing  either  fcl  or  ncl  as  that  operator 
results  in  either  EGP  not  being  a  safety  property  or  AFP 
not  being  a  liveness  property.  In  particular,  it  is  possible  to 
show  that  EGP  is  not  definable  by  the  class  of  safety  recog¬ 
nizers  (a  restricted  class  of  Rabin  tree  automata)  — see  the 
appendix  for  a  proof —  and  therefore  is  not  classified  as  a 
safety  property  as  defined  by  Bouajjani  et  al.  even  under 
the  restriction  of  finitely  branching  regular  trees. 

Possible  directions  for  future  work  include  defining  sub¬ 
classes  of  safety  and  liveness  formulae  and  syntactically 
characterizing  them,  as  has  been  done  in  the  linear  time 
framework  by  Sistla  [23].  Another  question  is  whether  there 
are  efficient  model  checking  algorithms  for  branching  time 
safety  properties  (see  Kupferman  and  Vardi  [18]). 
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A  Appendix 

All  definitions  and  terminology  in  the  appendix  are  taken 
from  Bouajjani  et  al.  [6] 

Definition  13  A  Kripke  tree  is  a  tuple  K  =  R,Tr) 

where  Q  is  a  countable  set  of  states,  Qq  is  the  initial  state, 
R  C  Q  X  Q  is  the  transition  relation  (having  no  cycles 
and  enforcing  finite  branching),  E  is  a  finite  alphabet  and 
TT  ;  <5  — >•  E  (5  the  labeling  function. 

Definition  14  A  safety  recognizer  is  a  tuple  S  = 
(E,  VK,  Wo,  p)  where  W  is  a  finite  set  of  states,  wq  is  the 
initial  state  and  p  C  x  E  x  V{W)  is  the  transition  rela¬ 
tion. 

Definition  15  A  safety  recognizer  S  =  (E,M^,  wo,p)  ac¬ 
cepts  Kripke  tree  K  =  (Q,'L,qo,  R,n)  iff  there  exi.sts 
\  :  Q  -)■  W  such  that  X{qo)  =  Wq  and  for  all  q  £  Q, 
there  e.xists  F  C  ly  such  that  {\{q),Tr{q),r)  £  p  and 
{X(q'):(q,q')eR}Cr. 

Lemma  26  There  is  no  safety  recognizer  S  such  that,  S 
accepts  K  iffK  sati.sfies  EGP. 

Proof  Assume,  to  the  contrary,  that  there  is  such  an  5  = 
(E,  W,wo,p). 

Let  K  =  {Q,'S,qo,  R^tt)  be  defined  as  follows,  {p  : 
{qo,q)  £  R}  =  {qi,q2}-  Furthermore,  7r((7o)  =  7r(g2)  =  P 
and  7r(pi)  =  -if.  Also,  suppo.se  K  is  a  total  tree  and  K 
has  one  full  path  (through  52)  which  satisfies  GP.  Since  K 
satisfies  EGP  then  by  assumption  K  is  accepted  by  S  and 
there  exits  X  :  Q  W  such  that  A(go)  =  wq  and  for  all 
q  £  Q,  there  exists  F  C  IF  such  that  (A((7),  7r((7),  F)  £  p 
and  {A(g')  ;  {q,q')  e  /?}  C  F. 

Consider  K'  =  {Q' ,T,,  qo,  R' ,7:')  defined  as  follows. 
Intuitively,  K'  consists  of  the  root  of  K,  the  subtree  of  K 
rooted  at  qi  plus  another  copy  of  the  subtree  rooted  at  q\  in 
place  of  the  subtree  rooted  at  q2  which  has  been  completely 
excised.  Formally,  let  Qi  =  {5  e  Q  :  g  is  a  descendant 
of  gi  in  A"}.  Then  Q'  =  {go}  U  Qi  U  {g'  ;  g  G  Qi). 
(a,  h)  £  R'  iff 

•  a  =  qo  and  6  =  gi  or  q[  or 

•  a,b  £  Qi  and  (a, b)  £  Rot 

•  q,r  £  Qi,  (q,r)  £  R,  a  —  g',  and  b  —  r' . 

it'  is  defined  as  follows;  7r'(go)  =  7r(go);  for  g  £  Qi, 
7r'(g)  =  7r(g);  for  g  G  Qi,ff{q')  =  7r(g).  Clearly,  K' 
does  not  satisfy  EGP. 

Consider  A'  :  Q'  ->  IF  defined  as  follows.  A'(go)  = 
A(go).  For  all  g  G  Qi,  A'(g)  =  A(g)  and  A'(g')  =  A(g). 
Then  A'(go)  =  A(go)  =  Wq.  Also,  (A(go), 7r(go), F)  G 


p  and  {A(gi), A(g2)}  C  F,  for  some  F.  Hence, 
{A'(gi),A'(g;)}  C  Fand  (A'(go), 7r'(go), F)  G  p. 

Suppose  g  £  Qi.  (A(g), 7r(g), F,)  G  p  for  some  F, 
and  that  {A(r)  :  (g,r)  £  R}  C  F,.  This  implies  that 
(A'(g),7r'(g),F,)  G  p  and  that  (A' (r)  :  (g,r)  6  R'}  C  F,. 
Furthermore  (A'(g'),  7r'(g'),  F,)  £  p  and  that 

{A'(r')  :  (g,r)  G  R'}  C  F,}.  Hence,  S  accepts  A'', 
contradicting  the  assumption  that  S  accepts  only  those 
trees  satisfying  EGP.  □ 
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Semistructured  Data:  from  Practice  to  Theory 


Serge  Abiteboul 


Abstract 

Semistructured  data  is  data  that  presents  some  regu¬ 
larity  (it  is  not  an  image  or  plain  text)  but  perhaps  not 
as  much  as  some  relational  data  or  some  ODMG  data 
(the  standard  of  object  databases).  Such  data  is  be¬ 
coming  increasingly  important  and,  with  XML,  should 
become  the  standard  for  publishing  data  on  the  Web. 
With  XML,  the  Web  is  turning  into  a  worldwide,  het¬ 
erogeneous,  distributed  database.  In  this  paper,  we 
briefly  discuss  typing  and  languages  for  semistructured 
data  and  some  new  issues  arising  from  the  context  of 
data  management  on  the  Web. 


1  Introduction 

The  amount  of  data  of  all  kinds  available  electron¬ 
ically  has  increased  dramatically  in  recent  years.  The 
data  resides  in  different  forms,  ranging  from  unstruc¬ 
tured  data  in  file  systems  to  highly  structured  in  rela¬ 
tional  database  systems.  Data  is  accessible  through  a 
variety  of  interfaces  including  Web  browsers,  database 
query  languages,  application-specific  interfaces,  or  data 
exchange  formats.  A  lot  of  information  can  already  be 
found  on  the  Web,  sometimes  hidden  behind  forms  (the 
deep  Web)  or  protected  by  passwords  and  fire  walls. 
Some  of  this  data  is  raw  data,  e.g.,  images  or  sound. 
Some  is  text  (e.g.,  in  HTML)  allowing  access  to  in¬ 
formation  via  search  engines.  A  lot  of  this  informa¬ 
tion  has  some  structure,  e.g.,  documents  in  HTML  or 
XML  (the  extensible  Markup  Language) ,  the  forthcom¬ 
ing  semistructured  standard  of  the  Web. 

Semistructured  data  was  first  studied  in  the  context 
of  integration  of  a  large  volume  of  data  from  heteroge¬ 
neous  sources.  Data  exchange  formats,  essentially  syn¬ 
tax  for  semistructured  data,  naturally  arose  in  a  num¬ 
ber  of  fields  that  felt  uncomfortable  with  the  lack  of 
flexibility  of  traditional  database  systems,  e.g.,  ASN.l. 
With  the  popularity  of  the  Web  and  the  choice  of  XML, 
such  a  model,  for  replacing  HTML,  the  area  gained  a 
lot  of  momentum.  Indeed,  I  like  to  think  of  the  Web 
of  tomorrow  as  a  gigantic,  distributed  semistructured 


database.  This  is  somewhat  the  vision  followed  in  the 
Xyleme  Project  that  we  initiated  at  INRIA  [20]  which 
aims  at  building  a  dynamic  warehouse  of  XML  data 
found  on  the  Web. 

The  main  goal  of  the  present  paper  is  to  discuss 
essential  aspects  of  semistructured  data  and  consider 
proposals  for  foundations  for  such  data.  We  will  see 
that  these  borrow  a  lot  from  computer  science  theory: 
database  theory,  logic  and  computer  science,  automata 
and  language  theory,  type  theory. 

The  paper  is  organized  as  follows.  In  Section  2,  we 
define  semistructured  data.  In  the  next  two  sections, 
we  discuss  typing  and  query  languages.  The  separation 
between  these  two  sections  is  somewhat  arbitrary  since 
the  topics  are  obviously  closely  related.  Most  works 
on  typing  and  queries  for  semistructured  data  have  fo¬ 
cused  on  single  documents  or  small  collections  of  doc¬ 
uments.  In  a  last  section,  we  discuss  new  challenges 
that  arise  from  moving  to  the  scale  of  the  Web. 

Although  the  area  is  rather  young,  it  is  very  active 
and  the  literature  it  generates  keeps  growing.  For  in¬ 
stance,  I  found  74  references  in  the  DBLP  Anthology 
[8]  for  “semistructured”  and  54  for  “semi-structured” 
(which  is  why  I  am  using  the  spelling  “semistruc¬ 
tured”).  I  will  provide  here  only  few  references.  Many 
more  can  be  found  in  the  book  [1].  More  references 
on  the  theory  of  semistructured  data  can  be  found  in 
Vianu’s  nice  survey  [17].  One  might  also  want  to  look 
at  the  tutorial  on  semistructured  data  and  XML  by  Su- 
ciu  at  VLDB99  [14].  References  for  databases  can  be 
found  in  [15,  16,  2].  A  good  entry  point  for  XML  (and 
everything  on  it)  is  W3C,  the  WWW  Consortium  [18]. 

2  Semistructured  Data 

In  this  section,  we  make  more  precise  the  notion 
of  semistructured  data,  how  such  data  arises,  and  de¬ 
scribe  its  main  aspects. 

Semistructured  data  is  data  that  presents  some  reg¬ 
ularity  (it  is  not  an  image  or  plain  text)  but  perhaps 
not  as  much  as  some  relational  data  or  some  ODMG 
data  (the  standard  of  object  databases).  Clearly,  this 
definition  is  imprecise.  For  instance,  would  a  BibTex 
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file  be  considered  structured  or  semistructured?  In¬ 
deed,  the  same  piece  of  information  may  be  viewed  as 
unstructured  at  some  early  processing  stage,  but  later 
become  very  structured  after  some  analysis  has  been 
performed.  The  first  use  of  the  term  semistructured 
(to  my  knowledge)  is  in  the  OEM  model  [12].  Essen¬ 
tially  the  same  model  was  proposed  simultaneously  in 
[11].  The  most  popular  example  of  semistructured  data 
today  is  XML  [18].  We  will  focus  on  XML  here,  and 
present  it  next  (in  simplified  form). 

An  example  of  an  XML  document  is  the  text  given  in 
Figure  1,  left.  There  is  an  alternative  vision  of  the  same 
document  as  a  tree,  also  given  in  the  figure.  Ignoring 
details  XML  has  three  main  components: 

Ordered  tree  (elements  and  text  nodes):  An  XML 
piece  of  data  is  a  tree  where  leaves  are  called 
text  nodes  (grey  discs  in  the  figure)  and  other 
nodes,  the  element  nodes  (white  discs)  may  have 
an  unbounded  number  of  ordered  children.  Each 
node  has  a  value  (a  string)  attached  to  it.  The 
value  of  an  element  is  called  a  label  or  a  tag. 

Attributes  nodes:  Element  nodes  may  also  have  at¬ 
tributes  (represented  by  a  square  in  the  figure). 
Each  node  may  have  at  most  one  attribute  with  a 
given  label.  Furthermore,  the  attributes  of  a  node 
are  viewed  as  unordered. 

Graph:  A  standard  trick  allows  to  move  to  a  graph 
representation.  Sec  Figure  2.  Some  nodes  are 
given  identifiers  and  reference's  to  these  identific'rs 
may  be  used  in  other  places  of  the  document. 

Ignoring  attributes  and  text,  i.e.,  focusing  on  the 
core  .syntax  of  XML  (i.e.,  tags),  leads  to  a  particular 
class  of  context-free  languages,  see  [6].  Let  A  be  the  set 
of  opening  tags  (e.g.,  (title))  and  A  the  set  of  closing 
tags  (e.g.,  (/title)).  Then  a  well-formed  XML  docu¬ 
ment  is  a  string  of  tags  of  the  form  a... a  for  some  tags 
a,  that  is  correctly  parenthesized.  Thus,  a  strong  con¬ 
nection  exists  between  the  XML  world  and  languages 
known  in  formal  language  theory  under  the  name  of 
the  set  of  Dyck  primes. 

What  is  exactly  XML?  Three  alternative  viewpoints 
are  shown  in  Figure  1. 

1.  A  word:  A  piece  of  XML  data  is  a  word  in  some 
standard  language.  This  is  a  giant  step:  one  needs 
only  one  parser,  one  browser,  one  editor,  etc. 

2.  A  tree:  The  same  data  may  be  viewed  as  a  tree, 
the  parse  tree  of  the  word. 

3.  An  object:  It  may  also  be  viewed  as  an  object 
with  an  interface,  e.g.,  a  method  geLparent,  in  a 


standardized  application  programming  interface, 
namely  DOM  for  Dociment  Object  Model  (the 
main  interface  to  program  applications  with  XML 
data). 

XML  provides  three  more  viewpoints: 

1.  A  document:  Data  may  be  displayed  with  stan¬ 
dard  Web  browsers.  For  that,  we  attach  a  style- 
sheet  (in  a  format  called  XSL)  to  an  XML  string 
to  provide  it  with  a  presentation.  The  simple  (and 
old)  idea  of  separating  the  data  and  its  presenta¬ 
tion  is  finally  coming  to  the  Web. 

2.  Type  data:  a  type  (in  a  format  called  DTD  -  Docu¬ 
ment  Type  Definition)  or  a  schema  (XML-schema) 
can  be  attached  to  some  XML  data.  (See  Section 

3.)  Now,  this  is  the  Web,  so  one  should  not  expect 
everybody  to  use  the  same  tag  (e.g.,  address)  for 
the  same  concept,  or  the  same  type  for  a  given  tag. 

3.  Semantics:  Once  typed  information  is  provided, 
one  can  attach  semantics  to  it  and  describe  that 
semantics.  For  instance,  the  Resource  De,scription 
Framework  (RDF)  is  a  standard  for  publishing  se¬ 
mantic  descriptions  of  Web  resources.  This  is  lead¬ 
ing  to  the  realm  of  “semantic  Web”. 

Thus  XML  is  reconciliug  many  worlds.  In  particular, 
one  can  view  it  as  tlu'  convergence  of  databases  and 
(hypertext)  documents.  Viewing  XML  as  text  and  pre¬ 
sentation  is  central  for  document  management  but  will 
b('  little  considc'rc'd  here.  We  are  more  eonec'iued  with 
viewing  XML  as  data,  or  kuowh'dge.  Furthermore',  we 
are  primarily  interested  in  conside'ring  the  kuowh’dge' 
available  on  the  Web  as  a  elistributeel  XML  elatabase’ 
that  can  be  queried  like’  any  centralize'el  elatabase. 

Given  this  worlelwieh',  elistributeel,  he’te're)ge’ne'e)us 
elatabase  of  semistructure’d  elata,  a  first  issue  is  its  man¬ 
agement.  Can  elatabase'  teedmoleegy  be  useel?  Obse’rve' 
that  database  systems  have  be’en  successful  becaeise 
they  are  easy  to  use  anel  very  efficient.  There  are  many 
reasons  for  this:  in  database  system,  (i)  data  is  very 
structured  and  rigid;  (ii)  data  has  a  precise  known  le)e;a- 
tion,  generally  centralized:  (iii)  a  cost  model  for  queries 
is  available  (even  if  most  of  the  time,  it  is  very  rough) 
to  perform  optimization;  (iv)  data  can  be  trusted  and 
is  non-contradictory.  Ev('ry  single  of  these  points  is 
defeated  for  semistructured  data  on  the  Web.  A  sec¬ 
ond  issue  is  that  of  formal  foundations.  Can  database 
theory  be  used?  What  else  can  be  used? 

3  Typing 

We  consider  in  this  section  the  issue  of  typing 
semistructured  data. 
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<biblio  date="200r'> 

<book  key="U"> 
<title>DBMS</title> 
<author>J.D.  Ullman</authoi> 
</book> 

<book  key="AHV"> 
<title>DBTheory</title> 
<author>Abiteboul</author> 
<author>Hull</auhor> 
<author>Vianu</author></book> 
<book  key="ABS"> 

<not  entered/> 

</book></biblio> 


'  node  interface  ' 

get_tag_nanie 

get_parent 

get_root 

get_attribute_list 

get_first_child 

get_childrem_by_tag 

geUype 

k _ y 


Object  View 


Text  View 


Tree  View 


Figure  1.  XML  and  trees 


Figure  2.  XML  and  graphs 
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First,  wc!  shall  stress  that  types  should  not  be  too 
constraining  in  this  context.  For  instance,  it  is  accept¬ 
able  to  have  an  XML  document  without  type  or  XML 
data  with  portions  that  are  typed  and  others  that  are 
not.  More  precisely,  although  the  document  has  some 
structure,  the  structure  may  be  irregular  (e.g.,  missing 
data)  and  may  even  violate  the  type  that  it  is  sup¬ 
posed  to  obey.  In  traditional  databases,  data  may  be 
large  and  rapidly  evolving  whereas  types  are  supposed 
to  be  relatively  small  and  stable.  This  is  not  true  for 
semistructurcd  data.  Indeed,  the  almost  religious  dis¬ 
tinction  between  schema  and  data  found  in  databases 
is  blurred  here.  Underlying  all  these  aspects  is  a  need 
for  flexibility.  Flexible  typing  is  not  a  new  notion.  For 
instance,  parameterized  records  have  been  studied  in 
the  context  of  typed  functional  languages  that  allow  to 
type  functions  applying  to  records  with  variable  collec¬ 
tions  of  attributes.  So,  for  instance,  we  may  want  to 
see  the  “type”  of  a  book  as: 

[title,  author,  editorl,  year,  more] 

where  the  question  mark  means  that  editor  is  not  a 
compulsory  attributes  and  more,  means  that  other  la¬ 
bels  are  acceptable  there  as  well  . 

We  next  develop  some  (light)  formalism  for 
semistructured  data  and  XML  typing.  As  already  men¬ 
tioned,  XML  is  a  syntax.  Recall  that  it  is  based  on 
opening  tags  in  .4  and  closing  tags  in  A  with  proper 
parentlu'sizing.  A  grammatical  approach  can  be  used 
to  defiiK'  the  type  of  a  document.  More  precisely,  one 
can  specify  that  a  particular  document  is  valid  with 
respect  to  a  certain  Document  Type  Definition  (DTD). 
DTDs  may  be  viewed  as  particular  context-free  gram¬ 
mars.  (An  ('xample  of  a  possible  DTD  for  the  data 
in  Figure  1  and  of  the  same  tyi)e  in  a  richer  for¬ 
malism,  namely  XML-schema  are  given  in  Figure  3.) 
These  grammars  are  special  in  that  each  word  gener¬ 
ated  by  one  such  grammar  (almost)  encodes  its  parse- 
tree.  More  precisely,  a  DTD  specifies  for  each  tag  a, 
a  regular  expression  which  tells  what  can  be  found 
between  a  and  «.  An  example  of  DTD  (using  formal 
language  notation  and  not  XML  notation)  is  as  follows: 

Xa^a{X*\Xc)d  AT-^cATe  X, ce 

where,  for  instance,  the  regular  expression  defining 
what  may  be  found  between  a  and  a  is  A^*|A^c-  A  valid 
word  for  this  DTD  is,  for  instance,  a  e  cce  e  cced. 

An  XML-language  is  the  set  of  valid  words  for  a 
given  DTD.  It  is  a  context-free  language.  However, 
XAIL-languages  enjoy  many  properties  that  do  not  hold 
in  general  for  context-free  languages.  For  instance,  it 
is  not  complicated  to  show  that  XML-languages  are 


closed  under  intersection  [6].  Note  however  that  the 
situation  is  a  bit  more  confusing  because  the  field  is 
still  changing  rapidly.  There  are  proposals  to  extend 
DTDs  (e.g.,  X-schemas)  that  may  modify  the  kind  of 
results  that  hold  for  DTDs  as  they  now  stand. 

To  continue  with  the  issue  of  semistructured  data 
typing,  we  may  also  think  of  XML  as  data  and  adopt 
a  more  database-like  approach.  We  may  first  try  to 
use  what  is  known  from  the  relational  database  world. 
It  is  easy  to  represent  XML  data  in  tables  (although 
this  is  probably  not  a  good  idea  for  storing  it).  See 
Figure  4  for  a  relational  representation  of  the  XML 
tree  of  Figure  1.  Like  in  relational  dependency  theory, 
first-order  logic  can  be  used  to  express  properties  on 
these  tables.  For  set-oriented  properties,  this  is  a  rather 
convenient  formalism.  So,  for  instance,  consider  the 
following  DTD  rule: 

book  — »  {book) title{author)*y ear {! book) 

Ignoring  positions,  this  can  be  captured  by  simple  for¬ 
mulas  in  the  style  of: 

'ib{book{h)  =>  3t{title{t)  A  E{b,t))) 

V6,  t,  t'{book{b)  A  title{t)  A  title{t')A 
Eib,t)AEib,t’)=^t  =  t') 

'ib,x{book{b)  A  E{b,x)  =?■  {title.{x)V 
avthor{x)  V  ycn.r{x))) 

As  already  mentioned,  this  works  fine  for  set- 
oriented  properties.  On  the  other  hand,  in  a  relational 
representation,  the  ordering  of  the  children  of  a  node 
is  captured  by  position  and  the  list  of  these  children  is 
not  directly  available.  Furthermore,  the  tree  structure 
has  been  encoded/buried  into  this  flat  structure.  So, 
many  useful  properties  and  queries  that  typically  re¬ 
fer  to  paths  in  the  tree  cannot  be  directly  captured  in 
first-order  terms.  Following  are  two  examples: 

1.  regular  expressions  on  the  children  of  a  node: 
DTDs  allow  to  state  that,  for  instance,  the 
sequence  of  children  labels  for  a  node  of  label  a 
is  a  word  in  the  language  bc*d.  This  simple  fact  is 
not  easy  to  state  in  first-order  terms. 

2.  regular  expressions  for  a  downward  path:  given  a 
document  d,  it  is  natural  to  ask  for  all  the  elements 
o  such  that  the  labels  on  the  path  from  the  root  to 
o  is,  e.g.,  a  word  in  the  language  c*(c|/)c.  Indeed, 
such  features  are  supported  in  a  language  called 
XPATH  that  allows  to  specify  complex  paths  in 
XML  data  and  is  used,  in  particular,  for  document 
presentation.  This  is  also  not  easy  to  state  in  first- 
order  terms. 
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<!DOCTYPE  biblio  [ 

<! element  biblio  (book)*> 

<!element  book  (title,  (author)*) I (\#PCDTA)> 
<! element  title  (\#PCDATA)> 

<! element  author  (\#PCDATA)> 

<!attlist  book  key  \#PCDATA> 

<!attlist  biblio  date  \#PCDATA>  ]> 


Figure  3.  Typing  XML  with  DTD 
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Figure  4.  Relational  Representation 


This  naturally  suggests  the  need  for  recursion  and  ap¬ 
proaches  based  on  fixpoints  or  proofs  (e.g.,  logic  pro¬ 
gramming  and  deductive  databases). 

The  two  examples  we  used  for  illustrating  the  lim¬ 
itations  of  first-order  logic  were  based  on  regular  lan¬ 
guages.  Indeed,  approaches  based  on  regular  languages 
and  automata  techniques  seem  appropriate  in  this  con¬ 
text  and  have  been  investigated.  For  instance,  one 
can  describe  paths  in  the  XML  tree  corresponding 
to  a  given  DTD  with  regular  languages.  This  has 
been  used  to  provide  user-friendly  graphic  interfaces 
to  query  such  data  (in  the  style  of  Query-by-Example 
for  relational  data).  The  user  navigates  through  the 
documents,  choosing  which  set  of  nodes  to  visit  next 
by  selecting  a  path.  It  is  also  natural  to  describe  the 
type  of  a  document  by  a  tree  or  a  graph.  This  sug¬ 
gests  a  definition  of  typing  based  on  graph  homomor¬ 
phism  in  the  style  of  graph  simulation  used,  e.g.,  in 
program  analysis.  Last  but  certainly  not  least,  there 
have  been  a  series  of  works  on  using  tree  automata 
to  define  semistructured  data  types.  Since  we  will  en¬ 
counter  tree  automata  in  the  context  of  queries  as  well, 
we  postpone  their  discussion  to  the  next  section. 

Between  all  these  approaches,  there  is  no  clear  win¬ 
ner  yet  and  there  is  still  a  long  way  until  an  analog 
for  semistructured  data  to  dependency  theory  for  re¬ 
lational  databases  is  obtained.  The  context  is  much 
richer  and  it  is  likely  that  foundations  for  semistruc¬ 
tured  data  typing  will  be  more  complex  and  borrow 
from  several  of  these  approaches.  To  conclude  this  dis¬ 
cussion  on  types,  we  consider  two  critical  use  of  types 
in  the  Web  context: 


1.  Type  integration:  In  a  particular  application  do¬ 
main,  say  biology,  if  each  single  person  publishing 
his  data  on  the  Web  uses  untyped  XML  or  her  own 
DTD,  the  construction  of  a  global  view  of  all  the 
information  of  the  Web  in  the  biology  diomain  will 
have  to  rely  on  expensive  AI  techniques  and  will 
probably  remain  an  elusive  goal  for  a  long  while. 
On  the  other  hand,  if  everyone  agrees  on  one  DTD 
{or  a  small  number  of  DTSs),  this  integration  be¬ 
comes  feasible,  see,  e.g.,  [20]. 

2.  Type  discovery:  As  already  mentioned,  types  are 
often  not  specified  in  data  found  on  the  Web. 
However,  it  is  important  to  be  able  to  understand 
the  structure  of  data  (discover  its  type)  for  a  num¬ 
ber  of  reasons  ranging  from  query  optimization,  to 
explaining  the  data  to  users. 

4  Logic  and  Queries 

There  are  many  relationships  between  logic  and 
computer  science.  One  may  argue  that  the  most  im¬ 
pressive  practical  application  of  logic  in  computer  sci¬ 
ence  as  of  today  is  relational  databases,  primarily  ow¬ 
ing  to  the  algebraization  of  first-order  logic.  In  a 
nutshell,  this  result  brings  to  millions  of  relational 
database  users  an  interface  to  state  first-order  formu¬ 
las  over  a  finite  structure  and  get  the  bindings  of  vari¬ 
ables  as  answers.  Relational  database  technology  has 
revolutionized  access  to  information.  The  next  revolu¬ 
tion  may  come  from  query  languages  for  semistructured 
data,  when  such  data  becomes  the  Web  of  tomorrow. 
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Before  considering  various  approaches  to  query  lan¬ 
guages  for  semistructured  data,  one  should  note  some 
desired  functionalities.  First,  declarative  languages 
are  preferable.  The  old  duality  of  relational  calculus 
(declarative)  vs.  relational  algebra  (operational)  sur¬ 
vives  when  we  move  to  semistructured  data.  How¬ 
ever,  the  distinction  is  not  as  clear  cut  since  fea¬ 
tures  like  regular  expressions  (for  describing  paths) 
may  be  viewed  both  as  declarative  and  procedu¬ 
ral/navigational.  Then,  the  language  should  support 
information-rctrieval-style  features  such  as  keyword 
search.  Also,  as  standard  in  such  context,  the  lan¬ 
guage  should  blur  the  distinction  between  schema  and 
data.  Finally,  since  the  Web  keeps  changing,  query 
languages  should  allow  to  query  these  changes.  In  re¬ 
lational  databases,  notions  such  as  versions  and  tem¬ 
poral  queries  are  often  supported,  see,  e.g.  [13].  In  the 
Web  context,  there  is  growing  activity  around  query 
subscriptions  and  continuous  queries.  An  example  of 
(simple)  query  subscription  is  “let  me  know  when  a 
page  of  this  particular  site  changes”.  Such  services  are 
becoming  available  on  the  Web.  The  underlying  tech¬ 
nology  is  related  to  triggers  and  active  databases  [19]. 
An  example  of  continuous  query  is  “send  me,  every 
Wednesday,  the  list  of  movies  showing  in  Paris”. 

We  next  consider  various  ap])roaches  that  have  been 
proposed  for  querying  semistructured  data.  Every¬ 
thing  docs  not  have  to  be  built  from  scratch.  Lan¬ 
guages  for  hierarchical  data  have  been  studied  for  many 
years.  Some  of  this  work  has  focused  on  ext('nsions  of 
first-order  logic  with  some  controlled  second-order  fea¬ 
tures,  allowing  the  cpiantification  over  .sets  of  values. 
(“Controlled”  here  is  essential  so  that  (pierv  evalua¬ 
tion  remains  feasible.)  From  an  algebraic/fuiictional 
viewpoint,  this  amounts  to  extending  relational  alge¬ 
bra  (i)rojection,  selection,  join,  etc.)  with  new  ojicr- 
ators  such  as  filter,  map,  comj)rehension.  Logics  and 
alget)ras  have  been  studied  for  trees  (nested  relations) 
or  graphs  (complex  objects)  that  can  be  adapted  to 
semistructured  data.  For  instance,  a  typical  operation, 
called  nest,  is  as  follows.  Supi^ose  R  contains  a  set  of 
pairs.  For  each  value  a,  we  can  group  the  corresjiond- 
ing  values  with  a  nest  operation.  This  corresponds  to 
the  second-order  formula: 

{.r,F  I  3y{R{x,y))  AVy{R{x,y)  O  r;  G  I")} 

Several  query  languages  (typically  using  an  SQL  fla¬ 
vor)  have  been  proposed  for  semistructured  data.  For 
XML  alone,  there  is  a  flurry  of  recent  competing  ])ro- 
posals.  Many  of  them,  originating  in  academia,  are  ar¬ 
guing  in  favor  of  extending  OQL  [7],  a  reasonably  clean 
functional  language  that  was  adopted  as  the  standard 
for  object  databases.  Others,  mostly  from  industry, 


lobby  for  ad-hoc  (one  might  say  inelegant  or  dirty?) 
extensions  of  SQL.  At  the  core  of  these  extensions,  one 
finds  tree-pattern  matching  and  tree  rewriting.  Indeed, 
one  can  view  these  languages  as  extensions  of  first- 
order  logic  with  tree-pattern  matching  and  some  form 
of  regular  path  expressions.  Lorel  [3]  was,  I  believe,  the 
first  OQL  extension  proposed  for  semistructured  data. 
An  example  of  query,  using  a  Lorel-like  syntax,  is: 

select  X/title,  X/author 

from  X  in  MyBibliography/biblio/book 

where  X/author="Ullman"  and  X/year="1986" 

The  i)attcrn  here  is  a  tree  with  two  branches.  A  match¬ 
ing  pattern  consists  of  a  root  (the  given  document  My- 
Bibliography  labeled  biblio),  a  child  labeled  book  with 
two  children  labeled  author  and  year  with  appropriate 
values,  “iniman”  and  “1986”,  respectively.  Each  such 
pattern  that  is  found  produces  an  element  of  the  answer 
with  a  title  and  an  author.  As  previously  mentioned, 
regular  expressions  and  keyword  search  may  come  into 
the  picture  as  in,  for  instance: 

select  X/title,  X/author 

from  X  in  MyBibliography/biblio/book 

where  X/author="Ullman"  and 

X/text//example  contains  "XML" 

This  asks  for  the  l)ooks  by  Ullman  that  mention  the 
word  XML  in  an  examph'.  In  the  query,  the  syml)ol 
“/  is  used  to  denote'  childrc'ii  of  a  node'  whereas  “//” 
is  used  for  descc'udants. 

Another  line  of  investigation  for  query  language's  is 
base'el  on  strue’tural  recursion.  For  instane'c,  XSLT,  a 
transformation  language  supporte'el  by  the  Web  e:e>n- 
sortium.  allows  te)  sjx’cify  iterate)r.s  anel  tre'e'  re'writing 
iratterns  to  ap])ly  e)n  a  given  ele)e-ument.  (It  has  be'em 
claimed  recently  that  XSLT  is  Turing  e-omple'te'.) 

Finally,  two  relate'el  api)roae-hes  have  bee'u  rece'iitly 
consielereel:  tree  transducers  (see,  e.g.,  [10])  and  k- 
pebble  transducers  [9]. 

Tree  transducers  The  starting  point  is  the  view 
of  an  XML  document  as  a  tree.  This  suggests  us¬ 
ing  devices  over  trees  and  in  particular  tree  transduc¬ 
ers.  The  transducers  that  arc  considered  are  not  quite 
standard  in  that  trees  have  unbounded  fan-out  (the  of¬ 
ficial  terminology  is  unranked)  and  a  query  does  not 
accept/reject  the  tree  but  returns  a  result,  typically  a 
set  of  nodes  in  the  tree.  The  automaton  uses  toi)-down 
and  bottom-up  state  transitions.  A  node  is  .selected 
depending  on  the  state  of  the  automaton  when  visit¬ 
ing  the  node  and  the  label  of  the  node.  This  approach 
is  interesting  also  because  of  the  equivalence  of  tree 
automata  and  monadic  second-order  logic. 
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K-pebble  transducers  These  devices  subsume 
most  aspects  of  query  languages  and  typing  previously 
introduced  for  semistructured  data.  They  are  varia¬ 
tions  of  tree  automata  that  we  will  not  define  here. 
Intuitively,  a  k-pebble  transducers  performs  a  compu¬ 
tation  on  a  tree.  It  uses  a  stack  of  pebbles  to  describe 
the  state  of  the  computation  so  far.  The  pebbles  are 
installed  on  tree  vertices.  At  some  point  of  the  compu¬ 
tation,  the  transducer  may  span  several  parallel  com¬ 
putations  for  the  different  children  of  the  current  node 
and  put  them  in  charge  of  computing  different  parts  of 
the  result.  Figure  5  gives  an  intermediary  state  of  a 
computation.  Two  parallel  computations  are  going  on. 
Each  is  in  charge  of  computing  one  subtree  of  the  root 
of  the  result. 

5  In  Place  of  Conclusion 

Essential  differences  with  traditional  databases  arise 
from  the  nature  of  the  Web:  (i)  its  size;  (ii)  its  dis¬ 
tributed  nature;  (iii)  the  absence  of  centralized  control. 
This  suggests  new  research  directions.  To  conclude,  we 
mention  next  (somewhat  arbitrarily)  five  such  direc¬ 
tions. 

Complexity:  the  complexity  of  relational  queries  has 
been  extensively  studied.  Theory  has  gone  a  long 
way  from  showing  logspace  and  AC°  bounds  for 
relational  algebra  to,  for  instance,  obtaining  many 
results  for  recursive  languages  (datalog,  fixpoint). 
What  is  new?  A  lot  when  we  consider  the  Web. 
Logspace  at  the  scale  of  the  Web  is  simply  too 
much.  There  is  clearly  a  need  for  new  notions  of 
feasibility  in  this  context. 

Computability:  Consider  a  Web  crawler.  It  is  essen¬ 
tially  an  infinite  computation.  By  the  time  it  takes 
to  read  the  entire  Web,  a  large  portion  of  the  data 
that  has  been  read  has  already  changed,  some  has 
disappeared,  new  data  arrived.  So,  strictly  speak¬ 
ing,  some  queries  such  as  give  me  the  list  of  URLs 
pointing  to  my  homepage  at  the  exact  instant  can 
simply  not  be  answered.  Thus,  even  the  notion  of 
computability  has  to  be  reconsidered,  see  [5]  and 
should  encompass  infinite  computations. 

A  world  of  changes:  The  Web  changes  all  the  time. 
Furthermore,  as  already  mentioned,  users  are  of¬ 
ten  directly  interested  in  changes.  So,  they  would 
like  a  paradigm  that  allows  to  discuss  change,  and 
yes,  this  brings  us  back  to  the  notions  of  tem¬ 
poral  queries,  continuous  queries  and  subscription 
queries  (infinite  computations  for  the  last  two).  So 
the  new  name  of  the  game  is  infinite  computation 


in  a  changing  world  vs.  finite  computation  in  a 
static  one. 

A  world  of  uncertainly  and  incompleteness: 

By  the  nature  of  the  Web,  the  information  that 
can  be  acquired  is  incomplete  and  cannot  be  com¬ 
pletely  trusted  (e.g.  dangling  pointers,  changing 
or  disappearing  data).  Query  languages  have  to 
deal  with  this.  (See,  e.g.,  [4].) 

Concurrency  control:  A  major  achievement  of 
database  technology  has  been  concurrency  control 
ensuring  correct  simultaneous  interaction  with  the 
database  by  multiple  users.  This  works  fine  in  a 
centralized  database  with  locks.  It  is  still  an  elu¬ 
sive  goal  in  the  context  of  the  Web.  There  is  a  need 
to  develop  more  flexible  notions  of  correctness  and 
the  corresponding  theory. 
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Abstract 

In  system  synthesis,  we  transform  a  specification 
into  a  system  that  is  guaranteed  to  satisfy  the  specifi¬ 
cation.  When  the  system  is  distributed,  the  goal  is  to 
construct  the  system’s  underlying  processes.  Results 
on  multi-player  games  imply  that  the  synthesis  prob¬ 
lem  for  linear  specifications  is  undecidable  for  general 
architectures,  and  is  nonelementary  decidable  for  hi¬ 
erarchical  architectures,  where  the  processes  are  lin¬ 
early  ordered  and  information  among  them  flows  in 
one  direction.  In  this  paper  we  present  a  significant 
extension  of  this  result.  We  handle  both  linear  and 
branching  specifications,  and  we  show  that  a  sufficient 
condition  for  decidability  of  the  synthesis  problem  is 
a  linear  or  cyclic  order  among  the  processes,  in  which 
information  flows  in  either  one  or  both  directions.  We 
also  allow  the  processes  to  have  internal  hidden  vari¬ 
ables,  and  we  consider  communications  with  and  with¬ 
out  delay.  Many  practical  applications  fall  into  this 
class. 

1  Introduction 

In  system  synthesis,  we  transform  a  specification 
into  a  system  that  is  guaranteed  to  satisfy  the  speci¬ 
fication.  Early  work  on  synthesis  consider  closed  sys¬ 
tems.  There,  a  system  that  meets  the  specification 
can  be  extracted  from  a  constructive  proof  that  the 
specification  is  satisflable  [MW80,  EC82].  As  argued 
in  [ALW89,  Dil89,  PR89a],  such  synthesis  paradigms 
are  not  of  much  interest  when  applied  to  open  sys¬ 
tems,  which  interact  with  an  environment.  While  syn¬ 
thesis  that  is  based  on  satisfiability  assumes  no  envi¬ 
ronment  or  a  cooperative  one,  synthesis  of  open  sys¬ 
tems  should  assume  a  hostile  environment,  and  should 
generate  a  system  that  satisfies  the  specification  no 
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matter  how  the  environment  behaves.  The  work  in 
[ALW89,  PR89a]  formulated  the  synthesis  problem  in 
terms  of  a  game  between  the  system  and  the  envi¬ 
ronment,  and  is  closely  related  to  Church’s  solvability 
problem  [Chu63].  Given  sets  I  and  O  of  input  and 
output  signals,  respectively,  we  can  view  a  system  as 
a  strategy  P  :  (2^)*  -4  2*^  that  maps  a  finite  sequence 
of  sets  of  input  signals  (the  behavior  of  the  environ¬ 
ment  so  far)  into  a  set  of  output  signals  (the  reaction 
of  the  system  to  this  behavior). 

When  P  interacts  with  an  environment  that  gener¬ 
ates  infinite  input  sequences,  it  associates  with  each 
input  sequence  an  infinite  computation  over  2^^^. 
We  say  that  a  specification  -ip  is  realizable  iff  there 
is  a  strategy  all  of  whose  computations  satisfy  ip, 
in  case  ^  is  a  linear  specification,  or  a  strategy 
whose  induced  computation  tree  satisfies  ip,  in  case 
tp  is  a  branching  specification.  Synthesis  of  xp  then 
amounts  to  constructing  such  a  strategy.  Solutions 
for  the  realizability  and  synthesis  problems  for  spec¬ 
ifications  in  the  linear  temporal  logic  LTL  are  pre¬ 
sented  in  [ALW89,  PR89a].  The  solutions  are  ex¬ 
tended  in  [PR89b,  Var95]  to  asynchronous  systems 
and  in  [KV99]  to  systems  with  incomplete  informa¬ 
tion  and  specifications  in  the  branching  temporal  logic 
CTL*.  Methods  developed  for  synthesis  of  open  sys¬ 
tems  are  applicable  also  for  supervisory  control,  where 
instead  of  hostile  environments  we  consider  collabora¬ 
tive  controllers  of  nondeterministic  systems  [RW89]. 

While  the  transition  to  open  systems  has  signifi¬ 
cantly  broaden  the  scope  of  synthesis  to  real-life  de¬ 
signs,  it  is  still  limited  to  settings  in  which  the  open 
system  consists  of  a  single  process.  In  a  more  real¬ 
istic  setting,  that  of  a  distributed  system,  the  input 
to  the  synthesis  problem  consists  of  both  the  spec¬ 
ification  and  an  architecture,  which  may  consist  of 
more  than  one  process  and  describes  the  communi¬ 
cation  channels  between  the  different  processes.  More 
formally,  we  assume  a  setting  with  n  processes,  with 
process  i  referring  to  sets  7^,  0,,  and  Hi,  of  input, 
output,  and  hidden  (internal)  signals  (input  signals 
may  be  external]  i.e.,  generated  by  the  environment), 
and  we  want  to  construct  for  each  process  a  strat- 
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egy  Pi  :  (2^')*  ->  2^''^^'  so  that  the  composition  of 
the  strategies  satisfies  the  specification.  The  architec¬ 
ture  is  given  by  a  set  of  conditions  like  O2  U  O4  C 
(“the  only  channels  to  P3  are  from  P2  to  P4”).  The 
exact  definition  of  the  composition  of  the  strategies 
then  depends  on  assumptions  on  the  communication 
(e.g.,  whether  communication  involves  a  delay).  If,  for 
example,  we  want  to  synthesize  five  dining  philoso¬ 
phers  [Dij72],  we  can  specify  in  temporal  logic  the 
mutual  exclusion  and  non-starvation  requirements  for 
the  philosophers,  specify  a  two-way  ring  with  five  pro¬ 
cesses,  and  ask  the  synthesis  procedure  to  construct 
appropriate  strategies  for  the  processes.  Clearly,  a  so¬ 
lution  for  the  dining  philosophers  that  refers  to  a  single 
process  is  not  of  much  interest. 

There  are  two  possible  ways  to  approach  the  syn¬ 
thesis  problem  for  distributed  systems.  One  approach 
is  to  use  a  synthesis  procedure  for  a  single  process,  and 
then  decompose  the  process  according  to  the  given  ar¬ 
chitecture  [EC82,  MW84].  While  this  approach  has 
a  computational  advantage,  known  decomposition  al¬ 
gorithms  are  not  complete  in  the  sense  that  a  speci¬ 
fication  may  be  realizable  with  respect  to  a  given  ar¬ 
chitecture  yet  the  decomposition  algorithm  would  fail 
[PR90].  Thus,  one  can  view  decomposition  as  a  heuris¬ 
tic  for  the  synthesis  problem,  which  is  not  guaranteed 
to  work.  The  second  approach  is  to  refer  to  the  archi¬ 
tecture  of  the  distributed  system  from  the  outset  and 
construct  the  underlying  processes  directly  [PR90]. 

R,(\sults  on  multi-player  games  imply  that  the  real¬ 
izability  problem  for  general  distributed  systems  is  un- 
decidable  [PR79,  PR90]  (the  results  in  [PR79j  refer  to 
multii)le-person  alternating  Turing  machines  and  arc 
extended  in  [PR90]  to  the  synthesis  setting).  Essen¬ 
tially,  there  is  an  architecture  fl  (in  fact,  a  very  sim])le 
architecture,  consisting  of  two  independent  processes 
Pi  and  P>  that  interact  with  the  same  environment; 
that  is  Ii  n  (O2  U  P2)  =  0  and  P  PI  (Oi  U  Pi)  =  0) 
such  that  for  every  deterministic  Turing  machine  M, 
there  is  an  LTL  formula  i/j^/  such  that  M  halts  on 
the  empty  tape  iff  i/.’a/  is  realizable  in  fl.  The  reduc¬ 
tion  is  heavily  based  on  Pi  and  P2  being  independent, 
and  it  fails,  for  example,  if  we  assume  that  Po  gets 
its  input  from  Pi  (i.e.,  Oi  C  P).  Indeed,  it  is  shown 
in  [PR79,  PR90]  that  once  we  consider  hierarchical  ar¬ 
chitectures,  in  which  the  processes  are  linearly  ordered 
and  information  flows  in  one  direction,  the  realizability 
problem  is  nonelementary  decidable  for  specifications 
in  LTL. 

The  decidability  result  in  [PR90]  suffers  from  two 
limitations.  First,  when  we  synthesize  a  system  from 
an  LTL  specification  ij),  we  require  xf)  to  hold  in  all  the 


computations  of  the  system.  Consequently,  we  can¬ 
not  impose  possibility  requirements  on  the  system  (cf. 
[DTV99]).  In  the  dining-philosophers  example,  while 
we  can  specify  in  LTL  mutual  exclusion,  we  cannot 
specify  deadlock  freedom  (every  finite  interaction  can 
be  extended  so  that  a  philosopher  eventually  eats).  In 
order  to  express  possibility  properties,  we  should  spec¬ 
ify  the  system  using  branching  temporal  logic,  which 
enables  both  universal  and  existential  path  quantifi¬ 
cation  [EH86,  Emc90].  Second,  and  more  crucially, 
the  algorithm  in  [PR90]  is  not  applicable  for  architec¬ 
tures  that  are  not  hierarchical,  and  real-life  designs 
are  rarely  based  on  hierarchical  architectures.  We  do 
not  count  the  nonelementary  complexity  as  a  limita¬ 
tion,  as  it  is  accompanied  by  a  matching  lower  bound 
and,  as  we  discuss  further  in  Section  6,  the  worst-case 
complexity  rarely  appears  in  practice. 

In  this  paper  we  remove  both  limitations.  We  con¬ 
sider  specifications  in  the  branching  temporal  logic 
CTL*  (which  subsumes  LTL),  and  we  handle  all  archi¬ 
tectures  in  which  there  is  a  linear  or  cyclic  order  among 
the  processes,  in  which  information  flows  in  either  one 
or  both  directions.  Thus,  our  architectures  can  be  ei¬ 
ther  chains  or  rings  with  both  one-way  and  two-way 
communication  channels.  In  addition,  we  allow  the 
processes  to  have  internal  hidden  variables,  and  we 
consider  communications  with  and  without  delay.  We 
show  that  the  realizability  problem  stays  decidable  in 
all  these  cases.  The  solution  we  present  is  based  on 
alterxiating  tree  automata,  which  sei)arate  the  logical 
and  algorithmic  aspects  of  the  problem:  given  a  spec¬ 
ification  xj!  and  an  architecture  fl,  we  construct  an  au¬ 
tomaton  such  that  xj)  is  realizable  in  fl  iff  is 
not  empty.  To  check  realizability,  the  automaton  has 
to  be  tested  for  nonemptiness  [EJ88,  PR89a,  KV98]. 
The  nonemptiness  algorithm  also  synthesizes  the  pro¬ 
cesses  in  n  that  together  realize  x/k 

We  argue  that  the  results  in  the  paper  significantly 
extend  the  scope  of  synthesis  for  distributed  systems, 
as  commonly  used  architecture  belong  to  the  class  of 
architectures  we  handle  [Tan87].  Examples  of  applica¬ 
tions  of  thc.se  architectures  include  various  communi¬ 
cation  protocols  in  which  communication  proceeds  in 
layers.  For  example,  the  so-called  OSI  model  consists 
of  a  seven-layer  protocol  stack  (Application,  Presen¬ 
tation,  Session,  Transport,  Network,  Data  link,  and 
Physical  layers),  where  every  layer  communicates  with 
the  layer  above  it  and  the  layer  below  it.  The  envi¬ 
ronment  talks  to  the  top  layer  and  the  bottom  layer 
[Man99].  Architectures  with  two-way  communication 
channels  are  common  in  scientific  compxitations,  say 
when  we  iterate  in  order  to  solve  a  differential  equa- 
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tion  and  each  process  works  on  part  of  the  computed 
domain.  Then,  it  is  useful  to  divide  the  domain  to 
layers  so  that  in  each  iteration  every  layer  updates  its 
neighbors  with  its  results  from  the  previous  iteration 
[PTVF92]. 

2  Preliminaries 

2.1  Trees  and  labeled  trees 

Given  a  finite  set  T,  an  T-tree  is  a  set  T  C  T*  such 
that  \i  X  -  v  eT,  where  x  and  u  €  T,  then  also 
X  e  T.  When  T  is  not  important  or  clear  from  the 
context,  we  call  T  a  tree.  When  T  =  T*,  we  say  that 
T  is  full.  The  elements  of  T  are  called  nodes,  and  the 
empty  word  e  is  the  root  of  T.  For  every  x  E  T,  the 
nodes  x  ■  v  E  T  where  u  G  T  are  the  children  of  x. 
Each  node  a;  of  T  has  a  direction,  dir{x)  in  T.  The 
direction  of  e  is  for  some  designated  E  T,  called 
the  root  direction.  The  direction  of  a  node  x  -v  is  v. 

Given  two  finite  sets  T  and  E,  a  H-labeled  T-tree  is 
a  pair  {T,V)  where  T  is  an  T-tree  and  V  :  T  T, 
maps  each  node  of  T  to  a  letter  in  E.  When  T 
and  E  are  not  important  or  clear  from  the  context, 
we  call  (T,  V)  a  labeled  tree.  For  a  E-labeled  T- 
tree  (T*,E),  we  define  the  memoryfull  version  of 
(T*,F),  denoted  mem{{T* ,V))  as  the  E+-labeled  T- 
tree  (T*,E')  where  V'{e)  =  y(e),  for  u  G  T  we  have 
V'{v)  =  V{e)  ■  V{v),  and  for  all  x  E  T"'"  and  v  E  T 
we  have  V'{x  ■  v)  =  V'{x)  ■  V''(u).  Thus,  the  label  of 
a  node  x  in  mem{{T* ,V))  is  the  word  obtained  by 
concatenating  the  labels  of  all  the  prefixes  (including 
e)  of  X  in  (T*, F). 

For  a  E-labeled  T-tree  (T*,  F),  we  define  the  x-ray 
of  (T*,F),  denoted  xray{{T* ,V)),  as  the  (T  x  E)- 
labeled  T-tree  (T*,F')  in  which  each  node  is  labeled 
by  both  its  direction  and  its  labeling  in  (T*,  F).  Thus, 
for  every  x  E  T*,  we  have  V'{x)  —  {dir{x),V{x)).  Es¬ 
sentially,  the  labels  in  xray{{T* ,V))  contain  informa¬ 
tion  not  only  about  the  surface  of  (T* ,  F)  (its  labels) 
but  also  about  its  skeleton  (its  nodes). 

For  a  E-labeled  T-tree  (T*,  F),  we  define  the  delay 
of  (T*,F),  denoted  delay {{T * ,V)),  as  the  E-labeled 
T-tree  (T*,F')  in  which  F'(e)  =  F(e)  and  for  all  x  G 
T*  and  u  G  T,  we  have  V'{x  ■  v)  =  V{vo  ■  x),  where 
Vo  =  dir{e)  is  the  root  direction  of  T.  Intuitively,  the 
delay  of  (T*,  F)  describes  the  label  node  x  would  have 
when  the  sequence  of  directions  leading  to  x  arrives 
with  a  delay,  thus  the  last  direction  in  x  is  missing 
and  X  is  prefixed  by  the  root  direction. 

Consider  a  set  W  x  F  of  directions.  For  a  node 
T  E  {X xF)*,  let  hideyir)  be  the  node  in  X*  obtained 
from  T  by  replacing  each  letter  {x,y)  by  the  letter 


X.  For  example,  the  node  (0,0)  •  (1,0)  of  the  4-ary 
({0, 1}  x  {0,  l})-tree  corresponds,  by  hide^o.i},  to  the 
node  0-1  of  the  {0,  l}-tree.  Note  that  the  nodes  (0, 0)  • 
(1, 1),  (0, 1)  •  (1, 0),  and  (0, 1)  •  (1, 1)  of  the  4-ary  tree 
also  correspond,  by  hide^o,!},  to  the  node  0  •  1  of  the 
binary  tree.  For  a  Z-labeled  X-tree  {X*,  V),  we  define 
the  Y-widening  of  {X*,V),  denoted  wideY{{X* ,V)), 
as  the  Z-labeled  (X  xF)-tree  ((X  xF)*,F')  where  for 
every  rG  (X  x  F)*,  we  have  F'(r)  =  V {hidey  (r)) .  As 
we  explain  further  in  Section  3,  nodes  ti  and  T2  with 
hidey{Ti)  =  hidey{T2)  =  r  are  indistinguishable  in 
widey{{X* ,V))  by  someone  that  does  not  observe  F. 
Indeed,  for  such  an  observer,  both  nodes  are  reached 
by  traversing  r  and  are  labeled  by  F(r). 

2.2  Alternating  automata 

Alternating  tree  automata  generalize  nondeterministic 
tree  automata  and  were  first  introduced  in  [MS87].  An 
alternating  tree  automaton  A  =  {Y,Q,qo,S,a)  runs 
on  full  E-labeled  T-trees  (for  an  agreed  set  T  of  direc¬ 
tions).  It  consists  of  a  finite  set  Q  of  states,  an  initial 
state  qo  E  Q,  a  transition  function  S,  and  an  accep¬ 
tance  condition  a  (a  condition  that  defines  a  subset  of 
Q").  For  a  set  T  of  directions,  let  fi+(T  xQ)  be  the  set 
of  positive  Boolean  formulas  over  T  x  Q;  i.e..  Boolean 
formulas  built  from  elements  in  T  x  Q  using  A  and 
V,  where  we  also  allow  the  formulas  true  and  false 
and,  as  usual,  A  has  precedence  over  V.  The  transi¬ 
tion  function  5  :  Q  x  E  B+(T  x  Q)  maps  a  state 
and  an  input  letter  to  a  formula  that  suggests  a  new 
configuration  for  the  automaton.  For  example,  when 
T  =  {0, 1},  having  6(q,  a)  =  (0,  gi)  A  (0,  g2)  V  (0,  q2)  A 
(1,  g-i)  A  (1,  gs)  means  that  when  the  automaton  is  in 
state  g  and  reads  the  letter  a,  it  can  either  send  two 
copies,  in  states  gi  and  g2,  to  direction  0  of  the  tree,  or 
send  a  copy  in  state  g2  to  direction  0  and  two  copies, 
in  states  g2  and  gs,  to  direction  1.  Thus,  unlike  nonde¬ 
terministic  tree  automata,  here  the  transition  function 
may  require  the  automaton  to  send  several  copies  to 
the  same  direction  or  allow  it  not  to  send  copies  to  all 
directions. 

A  run  of  an  alternating  automaton  A  on  an  in¬ 
put  E-labeled  T-tree  {T,V)  is  a  tree  {Ty,r)  in  which 
the  nodes  are  labeled  by  elements  of  T*  x  Q.  Each 
node  of  Tr  corresponds  to  a  node  of  T.  A  node  in 
Tr,  labeled  by  {x,q),  describes  a  copy  of  the  automa¬ 
ton  that  reads  the  node  x  of  T  and  visits  the  state 
g.  Note  that  many  nodes  of  Tr  can  correspond  to 
the  same  node  of  T;  in  contrast,  in  a  run  of  a  non¬ 
deterministic  automaton  on  (T,  F)  there  is  a  one-to- 
one  correspondence  between  the  nodes  of  the  run  and 
the  nodes  of  the  tree.  The  labels  of  a  node  and  its 


391 


children  have  to  satisfy  the  transition  function.  For 
example,  if  {T,V)  is  a  {0,  l}-tree  with  V{e)  =  a  and 
HQo,a)  =  ((0, 9i)  V (0,72))  A  ((0,g3)V (1,(72)),  then  the 
nodes  of  (Tr,r)  at  level  1  include  the  label  (0,(71)  or 
(0, 92),  and  include  the  label  (0,  (73)  or  (1, 92)-  Each  in¬ 
finite  path  p  in  {Tr,  r)  is  labeled  by  a  word  r{p)  in 
Let  inf{p)  denote  the  set  of  states  in  Q  that  appear 
in  r{p)  infinitely  often.  A  run  {Tr,r)  is  accepting  iff 
all  its  infinite  paths  satisfy  the  acceptance  condition. 
In  Rabin  alternating  tree  automata,  a  C  2*^  x  2*^, 
and  an  infinite  path  p  satisfies  an  acceptance  condition 
a  =  {(Gi,  Bi), . . . ,  {Gk,Bk)}  iff  there  exists  1  <  i  <  A; 
for  which  inf{p)  n  Gj  7^  0  and  inf{p)  PI  B,-  =  0.  We 
refer  to  the  number  of  pairs  in  a  as  the  index  of  A.  An 
automaton  accepts  a  tree  iff  there  exists  an  accepting 
run  on  it.  We  denote  by  £.{A)  the  language  of  the 
automaton  A;  i.e.,  the  set  of  all  labeled  trees  that  A 
accepts.  We  say  that  an  automaton  is  nonempty  iff 
C.{A)  7^  0.  For  an  acceptance  condition  q  over  Q  and 
a  set  5,  we  denote  by  q  x  5  the  acceptance  condition 
over  Q  X  S  obtained  from  a  by  replacing  each  set  F 
participating  in  a.  by  the  set  B  x  S.  For  example,  if 
a  is  the  Rabin  acceptance  condition  {(G,  B)},  then 
Q  X  5  =  {(G  X  5,B  X  5)}. 

Nondetorministic  tree  automata  can  be  viewed  as  a 
special  case  of  alternating  tree  automata,  where  the 
formulas  in  B+(T  x  Q)  arc  such  that  if  a  formula 
is  rewritten  in  disjunctive  normal  form,  then  for  ev¬ 
ery  direction  v  E.  T,  there  is  exactly  one  element  of 
{u}  X  Q  in  each  disjunct.  While  nondetorministic  tree 
automata  are  not  less  expressive  than  alternating  tree 
automata,  they  are  exponentially  less  succinct: 

Theorem  2.1  [MS95]  An  alternating  Rabin  tree  an- 
tomaton  with  m  states  and  k  pairs  can  be  ti'ajislated  to 
an  equivalent  nondeterministic  Rabin  tree  autmnato7i 
with  states  and  0{mk)  pairs. 

3  Architectures  and  the  synthesis 
problem 

Given  sets  I  and  O  of  input  and  output  signals, 
respectively,  we  can  view  a  process  B  as  a  strategy 
f  :  (2^)*  — )•  2^  that  maps  a  finite  sequence  of  sets 
of  input  signals  into  a  sot  of  output  signals.  We  of¬ 
ten  refer  to  the  strategy  /  as  the  2‘^-labclcd  2^-tree 
((2^)*,/).  Let  if)  be  the  root  direction  of  2^.  When 
P  interacts  with  an  environment  that  generates  in¬ 
finite  input  sequences,  it  associates  with  each  infi¬ 
nite  input  sequence  ii,i2,  ■  ■  an  infinite  computation 
{zo}U/(£),{ii}U/(ii),{f2}U/(ii  -12),...  over 
The  interaction  of  P  with  all  possible  input  sequences 
induces  the  (2^'^‘^)-labeled  2^-tree  xray{{{2^)* ,  f)). 


The  environment  may  have  hidden  internal  signals, 
which  are  not  readable  by  P.  Let  H  denote  the  set  of 
hidden  signals.  Then,  a  strategy  for  P  is  still  a  func¬ 
tion  /  :  (2^)*  — >  2^ ,  but  the  interaction  of  P  with  an 
outcome  of  the  environment  induces  an  infinite  com¬ 
putation  over  and  its  interaction  with  all  po.s- 

sible  outcomes  induces  the  (2^'-''^'-'^)-labeled  (2^'-'^^)- 
tree  xray{wide^.2n^{{{2’y ,  f))).  Each  node  in  this  tree 
has  21^'^^!  children^  corresponding  to  the  2^''^^^^  pos¬ 
sible  assignments  to  I U  H.  Note  that  since  B  cannot 
see  the  signals  in  H ,  and  thus  cannot  distinguish  be¬ 
tween  children  that  agree  on  their  assignment  to  sig¬ 
nals  in  7,  the  tree  above  is  the  2^^-widening  of  the 
interaction  between  P  and  its  environment  as  seen  by 
P. 

In  a  setting  with  n  processes  Pi,. ..  ,P„,  where  pro¬ 
cess  Pi  reads  /;,  writes  O;,  and  has  hidden  internal 
signals  Hi,  a  strategy  for  B,  is  a  function  fi  :  (2^)* 
20,u//,  denote  Ui<i</i  similarly  for  O 

and  77.  The  n  processes  ~Pi,. . .  ,P„  interact  with  each 
other  and  may  also  interact  with  an  environment.  We 
denote  by  Oenv  the  output  signals  of  the  environment 
(that  is,  the  external  input  to  the  n  processes),  and  de¬ 
note  by  77e„[.  the  hidden  signals  of  the  environment. 

Different  architectures  induce  differ('nt  communica¬ 
tion  channels  between  the  processes.  We  consider  luu'e 
four  classes  of  architectures  (see  figure  next  page).  In 
all  classes,  each  signal  can  be  written  by  a  single  pro¬ 
cess  (that  is,  Oi  n  Oj  =  0  for  all  i  7^  j),  but  can  be 
read  by  several  processes  (that  is,  possibly  RDlj  7^  0). 

•  In  a  one-way  chain,  Pi  reads  from  tlu'  environ¬ 
ment.  P„  writes  to  the  environment,  and  all  the 
other  processes  read  from  the  process  to  their 
left,  and  write  to  the  process  to  their  right.  For¬ 
mally,  7]  =  Gf„|.,  and  for  all  2  <  i  <  n  we  have 
7,  =  Oi-i-  Note  that  P,  cannot  read  the  in¬ 
ternal  signals  of  the  jrrocess  to  its  left  and  that 
7UG  =  7U0„  =  7,  UO. 

•  A  one-way  ring  extends  a  one-way  chain  by  a 
communication  channel  from  B„  to  Pi .  Thus,  Pi 
reads  from  both  B,,  and  the  environment  (i.e., 
Ii  =  On  U  Oenv),  aiul  B„  wiitcs  to  both  Pi  and 
the  environment. 

•  In  a  two-way  chain,  Pi  reads  from  both  B,  and 
the  environment  and  writes  to  P2,  B„  reads  from 
Pn-i  and  writes  to  both  B„_i  and  the  environ¬ 
ment,  and  all  the  other  processes  read  from  the 

'We  consider  .synthesis  with  respect  to  maximal  environ- 
mcjits,  which  provide  all  possible  input  sequences.  An  extension 
to  non-maximal  environment  is  possible,  using  the  same  tech¬ 
niques  as  in  [KMTVOO]. 
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we  have 


processes  to  their  left  and  right,  and  write  to 
the  processes  to  their  left  and  right.  Formally, 
h  =  Oenv  U  O2,  for  all  2  <  i  <  n  —  1  we  have 
Ix  —  1  )  and  —  Oji—i. 

•  A  two-way  ring  extends  a  two-way  chain  by 
a  communication  channel  between  P„  and  Pi. 
Thus,  Pi  reads  from  P2,  P„,  and  the  environment 
(i.e.,  7i  =  Oenv  UO2  UO„),  and  writes  to  both  P2 
and  P„,  and  P„  reads  from  both  Pi  and  P„_i  and 
writes  to  both  Pi,  P„_i,  and  the  environment. 

Note  that  in  all  the  four  classes,  and  for  all  i  and 
j  with  i  <  j,  the  process  Pj  has  complete  informa¬ 
tion  about  the  input  to  Pj,  thus  Pi  can  simulate  Pj 
and  have  complete  information  also  about  its  output^. 
This  means,  for  example,  that  in  a  two-way  chain, 
we  could  give  up  the  channel  from  P2  to  Pi,  letting 
Pi  compute  the  information  along  this  channel,  and 
similarly  for  the  other  right-to-left  channels.  While 
this  would  not  change  the  answer  to  the  realizability 
question,  it  may  significantly  increase  the  sizes  of  the 
synthesized  processes. 


One-way  chain  Two-way  chain 


One-way  ring  Two-way  ring 


For  all  the  architectures,  we  define  the  composition 
of  strategies  /i,...,/„  as  a  function  /  :  (2'^""')* 
2OUH  describes  the  joint  behavior  of  the  processes 
on  an  infinite  sequence  of  external  input  signals.  The 
exact  definition  of  a  composition  depends  on  the  par¬ 
ticular  architecture  as  well  as  on  assumptions  on  the 
communication  (e.g.,  whether  communication  involves 
a  delay).  We  define  several  compositions  in  Section  5. 
In  [PR90],  Pnueli  and  Rosner  study  one-way  channels 
(called  “hierarchical  architectures”  there)  where  com¬ 
munication  involves  no  delay.  In  this  setting,  com¬ 
positions  are  defined  as  follows.  For  the  strategy 
let  {(2^0*,/;)  =  mem{{{2’<r,fi)).  Re¬ 
call  that  in  a  one-way  chain,  Oenv  =  h-  Then,  /  : 
(2®'"*’)*  2^^^  is  such  that  for  every  a  €  (2^'"”)*, 

^Indeed  Pj,  for  j  >  i,  generates  also  hidden  signals,  but  these 
signals  are  generated  by  a  strategy  that  is  known  to  Pj,  since  our 
framework  assumes  that  the  processes  are  collaborative,  while 
the  environment  is  adversarial. 


f{a)  ^  Ma)  U  /2(/((a))  U  MW[{a)))U 
•■•U/„(/;-i(---(/^(/((<t)))  ■••)). 

Intuitively,  for  all  i,  the  output  of  Pj  (and,  conse¬ 
quently,  the  contribution  of  /j  to  /),  depends  on  the 
history  of  the  outputs  of  Pi_i,  namely  the  memory- 
full  version  of  /i_i,  which  by  itself  depends  on  the 
memoryfull  version  of  /i_2,  and  so  on. 

The  compo¬ 

sition  /  induces  the  computation  tree  of  Pi,...,P„, 
which  is  the  (2'^^°'-''^‘^^""’)-labeled  (2‘^'"‘''-'^'’”')-tree 
a;raj/(tctde(2H«ni.)(((2‘^'’"’)*, /))).  The  transition  from 
the  composition  to  the  computation  tree  involves  two 
transformations.  First,  while  the  composition  /  cor¬ 
responds  to  the  composition  as  seen  by  the  processes, 
and  thus  ignores  the  signals  in  Henv  and  the  nonde¬ 
terminism  induced  by  them,  the  computation  tree  cor¬ 
responds  to  the  composition  as  seen  by  someone  that 
sees  all  signals,  which  involves  a  2^'"'’ -widening.  In 
addition,  as  the  signals  in  Oenv  and  Henv  are  repre¬ 
sented  in  the  widening  of  the  composition  only  in  its 
nodes  and  not  in  its  labels,  we  employ  xray  and  obtain 
a  tree  whose  labels  refer  to  all  signals. 

Given  a  CTL*  formula  ip  over  I  U  0  U  H  U  Henv , 
and  an  architecture  Q  with  processes  Pi,...,P„,  we 
say  that  tp  is  realizable  in  Cl  iff  there  are  strategies 
for  Pi , . . . ,  Pn  whose  composition  induces  a  compu¬ 
tation  tree  that  satisfies  ip.  The  synthesis  problem  is 
then  to  construct  these  strategies.  The  synthesis  prob¬ 
lem  for  one-way  chains  with  complete  information  is 
introduced  and  solved  in  [PR90]  for  specifications  in 
the  linear  temporal  logic  LTL  (which  is  a  strict  sub¬ 
set  of  CTL*).  The  synthesis  problem  for  CTL*  for 
an  architecture  with  a  single  process  with  incomplete 
information  is  introduced  and  solved  in  [KV99].  In 
this  paper,  we  solve  the  synthesis  problem  for  CTL* 
for  the  four  classes  of  architectures  introduced  above. 
Our  solution  is  based  on  automata  on  infinite  trees. 
For  our  purposes,  the  crucial  feature  of  CTL*  is  the 
following  translation  of  CTL*  formulas  to  alternating 
Rabin  tree  automata. 

Theorem  3.1  [KVWOO]  Given  a  CTL*  formula  ip 
over  a  set  AP  of  atomic  propositions  and  a  set  T  of 
directions,  there  exists  an  alternating  Rabin  tree  au¬ 
tomaton  Ar,xii  over  2^^-labeled  T-trees,  with 
states  and  two  pairs,  such  that  is  exactly  the 

set  of  trees  satisfying  ip. 

4  Useful  automata  constructions 

Let  X,  Y,  and  Z  be  finite  sets,  and  let  zq  be  the  root 
direction  of  Z.  For  an  {X  x  y)-labeled  Z-tree  {Z*,f), 
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we  say  that  (Z*,  /)  is  a  composition  of  an  X-labeled  Z- 
trce  {Z*,fx),  where  mem,{{Z* ,  fx))  =  {Z*,f'^),  and 
a  y-labeled  X-tree  {X* ,  fx)  iff  for  every  zi  and  Z2  in 
Z  and  for  every  <7  G  Z*,  we  have 

•  /(e)  =  /x(e)U/y(e). 

•  f{zi)  =  }x{zq)  U  /y'(/x(e))- 

•  /(ct  •  zi  •  Z2)  =  fxizo  -  a  ■  zi)U  frif'xizo  ■  <^))- 

We  then  say  that  /  =  fx+fv-  For  a  set  T of  (A'  x  Y)- 
labeled  Z-trees,  the  set  shape x{T)  consists  of  all  Y- 
labeled  Ar-trees  (X*,  fy)  for  which  there  exists  an  A"- 
labeled  Z-tree  {Z*,fx)  such  that  the  {X  x  y)-labeled 
Z-tree  {Z*,fx  +  fy)  is  in  T. 

Theorem  4.1  Let  X ,  Y,  and  Z  be  finite  sets.  Gwen 
a  nondeterministic  tree  automaton  A  over  (A^  x 
Y)-laheled  Z-trees,  we  can  construct  an  alternating 
tree  automaton  A'  over  Y -labeled  X -trees  such  that 
C{A')  =  shape x{C{A))  and  the  automata  A'  and  A 
have  the  same  size  and  index. 

Proof:  Let  A  =  (A’'  x  Y\Q,qQ,S,a).  Then,  A'  = 
(F,  Q,  7o,  (5',  a),  where  for  every  <7  G  Q  and  xj  G  Y,  we 
liave 

^'{q,y)=  V  (•''^.Si)A(.T,,S2)A,..A(j:,.S|;j|). 

xS.V, 

{*1  .•^2 . S|z|)e<5{(;,(.T,y>) 

Consider  first  the  case  where  q  =  qo  and  A'  roads  the 
root  of  the  input  tree  {X*,fY).  The  letter  y  road  at 
the  root  is  /y'(f).  Since  in  fx  +  fy  the  root  is  labeled 
(/.v(f),  /y'(f)),  we  proceed  according  to  (f((7o,  ?/))  for 

some  X  which  is  our  guess  for  fx{^)-  By  the  definition 
of  S',  each  copy  of  A  that  is  sent  to  direction  z  G  Z 
and  visits  state  s  induces  a  copy  of  A'  that  is  sent  to 
direction  x  and  visits  the  state  s.  Since  the  choice  of 
X  is  joint  to  all  2  G  Z,  all  the  copies  of  A'  induced 
as  above  are  going  to  read  the  same  letter,  which  is 
our  guess  for  fy{fx{e)).  Consider  now  a  copy  of  A 
that  reads  a  node  z  E  Z  and  visits  state  s.  Recall 
that  the  automaton  A'  then  has  a  copy  that  reads 
the  node  fx{e),  visits  the  state  s,  and  the  letter  y 
read  by  this  copy  (and  all  the  other  copies  that  read 
the  node  /,v(t))  is  our  guess  for  /y(/,Y(c))-  Since  in 
fx  +  fy  the  node  z  is  labeled  {fx{zo],fy{fx{^))),  we 
proceed  according  to  (i(s,  {x,y)),  for  some  x  which  is 
our  guess  for  fx{zo).  Each  copy  of  A  that  is  sent 
to  direction  z'  E  Z  and  visits  state  s'  then  induces  a 
copy  of  A'  that  is  sent  to  direction  x  and  visits  the 
state  s'.  All  these  copies  are  going  to  read  the  same 
letter,  which  is  our  guess  for  fy{f'^{zo)).  The  same 


idea  repeats  in  further  levels:  a  copy  of  A  that  reads 
a  node  cr  ■  zj  •  Z2  G  Z*  and  visits  state  s  is  associated 
w'ith  a  copy  of  A'  that  reads  the  node  f'^  (zq  •  a)  and 
visits  the  state  s.  The  letter  y  read  by  this  copy  (and 
all  the  other  copies  that  read  the  node  f'xizo  ■  cr))  is 
our  guess  for  fy{f'xizo  ■  cr)).  Since  in  fx  +  fy  the 
node  (T-zi  -22  is  labeled  {fx{zo-(^-zi),fy{f'x{zo-(j))), 
we  proceed  according  to  S{s,  {x,y))  for  some  x  which 
is  our  guess  for  fx{zo-<^-zi).  All  the  copies  sent  to 
direction  x  are  going  to  read  the  same  letter,  which  is 
our  gue.ss  for /y(/_((.(2o  •  0- ■  zi)).  □ 

Given  a  nondeterministic  tree  automaton  A,  let 
shape x(A)  denote  the  corresponding  automaton  A' 
constructed  in  Theorem  4.1.  Note  that  while 
shape x{A)  returns  an  alternating  tree  automaton,  it 
is  defined  for  a  nondeterministic  tree  automaton  A. 
Thus,  successive  applications  of  shape  require  an  in¬ 
termediate  application  of  the  exponential  alternation- 
removal  procedure  in  Theorem  2.1. 

The  construction  described  in  Theorem  4.1  will  help 
us  to  solve  the  realizability  problem  by  successively 
reducing  the  number  of  processes  in  the  architectures. 
The  two  constructions  below  will  handle  the  external 
input  to  the  system  and  the  incomplete  information, 
and  they  are  presented  in  [KV99],  where  they  are  used 
for  the  synthesis  of  a  single  process  with  incomplete 
information. 

Theorem  4.2  Given  an  alternating  tree  axitornaton 
A  over  (T  x  Y)-labcled  T -trees,  we  can  construct  an 
alternating  tree  automaton  A'  over  Y-labeled  T -trees 
such  that  A'  accepts  a  labeled  tree  {T*  ,V)  iff  A  accepts 
xray{{T* ,V)),  and  the  autoxnata  AS  and  A  have  the 
same  .size  and  index. 

Theorem  4.3  Let  X ,  Y ,  and  Z  be  finite  sets.  Given 
an  alternating  tree  automaton  A  over  Z -labeled  {X  x 
Y)-trees,  we  can  con.struct  an  alternating  tree  automa¬ 
ton  A'  over  Z -labeled  X -trees  such  that  A!  accepts  a 
Z-labeled  tree  {X*  ,V)  iff  A  accepts  the  Z-labeled  tree 
widey{{X*,V)),  and  the  axitomata  A'  and  A  have  the 
same  size  and  index. 

Finally,  since  we  want  our  algorithm  to  be  applica¬ 
ble  also  for  settings  in  which  communication  involves 
a  delay,  we  need  a  construction  that  handles  such  a 
delay. 

Theorem  4.4  Given  an  alternating  tree  automaton 
A  over  Y-labeled  T-<rce.s,  we  can  construct  an  alter¬ 
nating  tree  axitornaton  A'  over  Y-labeled  T -trees  such 
that  A'  accepts  a  labeled  tree  (T*,F)  iff  A  accepts 
delay {{Y * ,V)),  and  the  axitomata  A'  and  A  have  the 
same  size  and  index. 
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Given  an  alternating  tree  automaton  A,  let 
cover  {A),  narrow  y  {A)  ^  and  wait{A)  denote  the  cor¬ 
responding  automata  A!  constructed  in  Theorems  4.2, 
4.3  (for  a  set  Y  of  directions),  and  4.4,  respectively. 

5  Solving  the  synthesis  problem 

In  this  section  we  study  the  synthesis  problem  for 
the  architectures  described  in  Section  3.  We  show 
that  for  all  the  four  classes,  the  problem  is  decid¬ 
able,  with  a  nonelementary  complexity.  Thus,  given 
a  CTL*  formula  ip,  a  class  C  (one-way  chain,  two-way 
chain,  one-way  ring,  or  two-way  ring),  and  an  integer 
n,  the  complexity  of  constructing  n  strategies  for  n 
processes  in  an  architecture  of  class  C  that  satisfies  ip 
is  n-exp{\ip\).^ 

One-way  chain  We  assume  that  communication  in¬ 
volves  a  delay.  Thus,  the  input  to  Pi+i  at  time  t  is 
the  output  of  Pi  (or  the  environment,  when  i  =  0)  at 
time  t  —  Accordingly,  we  define  the  composition  f 
of  /i , . . . ,  /n  as  follows.  For  a  string  a  =  zq  •  zi  Zk 
and  i  >  0,  let  zq  ■  zi  -  Zk~i  be  either  the  prefix  of 
length  A;  —  i  -I-  1  of  cr,  in  case  /c  —  f  >  0,  or  e,  in  case 
k  —  i  +  l  <0.  Also,  let  zq  be  the  root  direction  of  2^' . 
Then,  /  :  (2^*)*  — >  2^^^  is  defined  as  follows. 

•  /(f)  =/i(e)U  •■•□/„(€). 

•  For  a  e  (2^'  )*  with  a  =  zi  ■  ■  ■  z^,  v:e  have  / (a)  = 
fl  {zo'  Zi---  2a._i)  U  f2{fi  (zo-  Zi---  Zk-2))  U  •  •  •  U 

fn{fn-l{zo  -Zi  ■■■Zf,-„)). 

Consider  a  CTL*  formula  'ip  over  I UOU  H  U  Plenv 
Recall  that  in  a  one-way  chain,  we  have  /UO  =  h  UO. 
In  order  to  solve  the  realizability  problem,  we  build  the 
following  tree  automata. 

•  Af'.  an  alternating  Rabin  tree  automaton  that 
accepts  a  (2^''^°'^'^'^^'""  )-labeled  (2^''-^^'"*')-tree 
^(2/iU//env)*,y)  jff  satisfies  ip  [see  Theorem  3.1]. 

•  Ao'-  the  alternat¬ 

ing  Rabin  tree  automaton  wait{A^).  Thus, 
accepts  a  (2'^i'^^'^''^^^'"'’)-labeled  (2^'f^^'"'')-tree 
((2^'^"'"“)*,/)  iff  satis¬ 

fies  Ip  [see  Theorem  4.4]. 

•  Aq'.  the  alternating  Ra¬ 

bin  tree  automaton  cover  (Ao)-  Thus,  Aq  accepts 
a  (2‘^'^^)-labeled  (2^''^^'’"’)-tree  ((2huf^e"*’)*^y^) 
iff  delay{xray{{(2^^'^^‘’"’)* ,  f)))  satisfies  ip  [see 
Theorem  4.2]. 

^n-exp{k)  is  a  stack  of  n  exponents  with  k  on  the  top;  i.e., 
l-exp{k)  =  and  {i  +  l)-e2:p(A;)  = 


•  A'y.  the  alternating 

Rabin  tree  automaton  narrow(2Henv)(-4o).  Thus, 
^0  accepts  a  (2‘^^''^)-labeled  2^*-tree  ((2^')*,/) 
iff  delay{xray{widef^2’^e„„y{{2^^)*,f))))  satisfies 
Ip  [see  Theorem  4.3]. 

•  For  1  <  f  <  n  —  1, 

—  Ai'.  a  nondeterministic  Rabin  tree  au¬ 
tomaton  equivalent  to  A"_i  [see  Theo¬ 
rem  2.1].  Note  that  the  automaton 
Ai  runs  on 

labeled  2‘^'-*-trees,  where  we  take  Oq  =  Ii. 

—  A'i'.  the  alternating  Rabin  au¬ 
tomaton  shape Thus,  A'l  runs 

trees  and  it  accepts  a  tree  ,  f) 

iff  there  is  a  (2‘^''-^^‘)-labeled  2*^’ -tree 
((20‘->)%/')  such  that  +  n  is 

accepted  by  Ai  [see  Theorem  4.1]. 

-  A”’.  the  alternating  Rabin  automaton 
narrow  1^2’^  i^A'i) .  Thus,  A”  accepts 

^  2°‘-tree 

{(20.)*,/)  iff  wide^2«i)m°^Y,f))  is  ac¬ 
cepted  by  A'i  [see  Theorem  4.3]. 

Intuitively,  in  each  iteration  1  <  z  <  n,  we  as¬ 
sume  that  the  strategies  of  Pi,...,P,_i  are  given 
(they  are  encapsulated  in  the  transition  function  of 
Ai)  and  the  automaton  Ai  accepts  all  the  composi¬ 
tions  oi  Pi, ...  Pn  that  together  with  the  given  strate¬ 
gies  satisfy  ip.  Thus,  the  transition  from  Ai  to  Ai+i 
involves  an  encapsulation  of  the  possible  strategies  of 
Pi  (and  how  they  affect  the  behavior  required  from 
Pi+i  ,...,Pn  in  order  to  satisfy  ip)  into  the  transition 
function  of  Ai. 

Lemma  5.1  ip  is  realizable  iff  A'^_i  is  not  empty. 

The  construction  of  Ai  goes  via  i  iterations.  Each 
iteration  involves  two  automata  transformations.  One 
transformation  (narrow)  gets  and  returns  an  alternat¬ 
ing  tree  automaton.  The  other  transformation  (shape) 
gets  a  nondeterministic  tree  automaton  and  return  an 
alternating  tree  automaton.  While  all  the  transforma¬ 
tions  involve  no  blow-up  in  the  size  of  the  automata, 
the  fact  that  shape  handles  nondeterministic  automata 
requires  the  application  of  an  additional  transforma¬ 
tion,  namely  the  translation  of  an  alternating  tree  au¬ 
tomaton  to  a  nondeterministic  one.  This  transforma¬ 
tion  involves  an  exponential  blow-up,  leading  to  an 
overall  nonelementary  blow-up. 
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Theorem  5.2  The  synthesis  problem,  for  CTL*  and 
one-way  chains  is  nonelementary  decidable. 

Proof:  It  follows  from  the  constructions  described  in 
Section  4  that  the  size  of  .4" _i  is  {n-\)-exp{\ip\).  The 
nonemptiness  problem  for  can  then  be  solved  in 
time  n-exp{\'ij)\)  [MS95,  KV98].  Lemma  5.1  then  im¬ 
plies  that  the  realizability  problem  for  ij>  can  be  .solved 
in  time  n-exp{\tl>\).  The  nonemptiness  algorithm  can 
be  extended  to  produce  a  witness  for  the  automaton 
being  nonempty  (in  fact,  a  witness  that  is  a  memory¬ 
less  strategy  [Tho95]).  A  witness  for  the  nonemptiness 
of  -4"_i  induces  a  strategy  /„  for  P„.  In  order  to  get 
a  strategy  for  P„-i,  we  combine  with  /„  and 

get  an  automaton  that  is  guaranteed  to  be  nonempty 
and  whose  witness  induces  a  strategy  /„_i  for  Pn-i- 
We  continue  similarly  until  strategics  for  all  processes 
are  synthesized.  □ 

A  matching  nonelementary  lower  bound  is  proved  (for 
LTL  formulas)  in  [PR90]  (cf.  [PR79]).  This  lower 
bounds  applies  also  to  the  other  architecture. 

With  appropriate  simple  modifications  (skipping 
the  “wait  construction”  and  redefining  the  “shape  con¬ 
struction”  to  ignore  the  delay),  the  method  described 
above  can  handle  one-way  channels  in  which  commu¬ 
nication  involves  no  delay  (the  definition  of  composi¬ 
tion  then  coincides  with  the  one  of  [PR90]).  As  we 
describe  below,  the  method  can  also  be  extended  to 
handle  the  other  classes  of  architecttires  described  in 
Section  3.  The  differences  among  the  architc'ctures  in¬ 
fluence  the  sets  of  labels  and  directions  of  the  trees 
over  which  the  automata  are  defined  (for  example,  in 
a  one-way  ring  A,-,  runs  on  )-trees,  and  in 

a  two-way  ring,  it  runs  on  )-trees),  in¬ 

fluence  the  definition  of  composition,  and  accordingly 
influence  the  definition  of  shape x{T)  and  the  “.shape 
construction”  that  handles.  For  all  the  architectures, 
however,  the  idea  is  similar:  a  successive  reduction  in 
the  number  of  processes,  where  in  each  step  we  omit 
a  process  and  encapsulate  its  possible  strategies  into 
the  transition  function  of  intermediate  automata. 

One-way  ring.  Recall  that  in  a  one-way  ring,  the 
process  Pi  reads  signals  from  both  P„  and  the  envi¬ 
ronment.  We  suggest  two  alternative  modifications  to 
the  method  presented  for  one-way  chains.  The  first  is 
rather  simple:  all  the  intermediate  automata  we  con¬ 
struct  maintain  (in  their  alphabet)  the  input  that  Pi 
reads  from  Then,  in  the  last  automaton,  which 
corresponds  to  P„’s  strategy,  we  close  the  ring  by  re¬ 
quiring  the  output  of  P„  to  agree  with  the  maintained 
input.  The  second  approach  is  cleaner  (and  it  also  has 


a  computational  advantage),  yet  it  requires  a  more 
substantial  modification.  The  idea  is  to  start  with  Pj 
and  proceed  in  both  directions,  encapsulating  two  pro- 
ces.ses  in  each  iteration.  The  two  directions  meet  at 
the  automaton  A^,  whose  nonemi)tiness  witnesses  a 
strategy  for  P|  that  satisfies  the  tasks  inherited  to  P^ 
by  both  the  processes  to  his  left  and  these  to  his  right. 

Two-way  chain.  The  two-way  chain  architecture  is 
much  richer  than  that  of  a  one-way  chain.  Since  the 
difficulties  imposed  by  incomplete  information  are  or¬ 
thogonal  and  are  handled  by  the  narrow  construction, 
we  describe  here  the  solution  for  systems  with  com¬ 
plete  information,  thus  Hf.,,,,  U  1/  =  0.  In  a  two-way 
chain,  the  process  P,  reads  both  0,_]  and  Oi+i,  so 
its  strategy  is  a  function  fi  :  (20i-iuo^+,  2®' . 

Accordingly,  while  in  the  case  of  a  one-way  chain 
the  reduction  of  the  process  P;  involves  a  transition 
from  an  automaton  that  runs  on 
labeled  2^h-i.trees  to  an  automaton  that  runs  on 
(2^‘+‘'-'  'U^")-labeled  2*^' -trees,  here  the  reduction  of 
Pi  should  involve  a  transition  from  an  automaton  that 
runs  on  )-labeled  (2'^'-''-'^'  +  ' )-trees 

to  an  automaton  that  runs  on  (2^^'+‘^'  ''-^'^^'‘ )-labeled 
(2*^^''^^'+2). trees.  In  order  to  see  the  modifications 
that  are  therefore  neech'd  in  the  shape  construction, 
let  us  first  redefine  th('  predicate  .shape  and  the  com¬ 
position  operator  it  involves. 

Let  A',_i,  Xj,  A’i+i,  A',. 12,  and  X  be  finite  sets, 
and  let  and  Zq  be  the  root  directions  of  A',_i  and 
A',+1  respectively.  For  our  application,  Xj  stands 
for  2*^^  ,  and  A'  stands  for  - .  For  an 

(A',  X  A'l+i  X  A', +2  X  A')-labeled  (A',_i  x  A',+i)-tree 
((A',-1  X  A'i+i)*,/),  we  say  that  ((A',_i  x  A^+i)*,/) 
is  a  composition  of  an  AVlabeled  (A",_i  x  A',+i)- 
tree  ((A'i_i  x  X,+i)\fi)  and  an  (A,+  |  x  A", +2  x  A')- 
labeled  (A',  x  A',+2)-tree  ((A',  x  Xij^->Y,f-2)  iff  for  ev¬ 
ery  (21,2!)  and  {22,22)  in  Ah-i  x  A'i+i  and  for  every 
o  e  (A',-1  x  A';+i)*,  we  have  (/'  and  /(  are  the  mem- 
orvfull  versions  of  /  and  /'): 

•  /(e)  =  {/i(e), /2(c)). 

•  /((^l,2;))  =  (/,((2o,2')),/2(/{(c))). 

•  /{ct  •  (21,25)  ■  (21,2;))  =  (/i((2o,2(,)  •  or  . 

(21 , 25  )  ) ,  h  (/{  ( (ZO ,  2o)  •  or)  ®  /'  (  (20 , 2(1)  ■  or)  I  J) , 
where  ®  is  bitwise  concatenation  (e.g.,  yi  -1/2  Ttp- 
Vi  =  (?/! ,  y:>,)  ■  (2/2 ,  Vi))  and  is  the  projection 

of  T  on  A'i_|.2- 

We  then  say  that  /  =  /i  -t-  /i.  Intuitively,  /  de¬ 
termines  its  AL-element  according  to  fi  and  deter¬ 
mines  the  (A^,-+i  X  A^,+2  X  A')-element  by  applying 
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/2  on  an  interleaving  of  an  application  of  f{,  which 
gives  the  Xi  element  and  an  application  of  /'  on  a 
strict  prefix  of  the  input,  which  returns  an  element  in 
Xi  X  Xj+i  X  Xj+2  X  X  and  is  then  projected  on  Xi+2- 
In  addition,  since  we  assume  that  communication  in¬ 
volves  a  delay,  /  ignores  the  last  letters  in  a  sequence 
and  refers  instead  to  the  root  directions. 

For  a  set  T  of  {Xi  x  Xi+i  x  Xi+2  x  X)-labeled 
(Xj_i  X  Xj+ij-trees,  the  set  shape x^xXi+2^) 
sists  of  all  {Xi+i  X  Xi+2  x  X)-labeled  {Xi  x  Xj+2)- 
trees  {{Xi  x  Xi+2)*,f2)  for  which  there  exists  an  Xi- 
labeled  (X,_i  x  Xj+i)-tree  ((Xj_i  x  such 

that  ((Xi_i  X  Xj+i)*,/i  -|-  /2)  is  in  T. 

The  shape  construction  in  Theorem  4.1  can  be  mod¬ 
ified  to  handle  the  definition  of  shape  above.  Essen¬ 
tially,  while  in  the  current  construction  the  automaton 
A'  guesses  in  each  transition  a  direction  x  to  proceed 
with,  in  the  new  construction  A'  needs  to  guess  two 
elements,  corresponding  to  both  Xi  and  Xj+2,  and  it 
should  remember  the  Xi+2  element  for  the  projection 
described  above. 

Two-way  ring.  The  solution  for  two-way  rings  is 
based  on  the  modified  shape  construction  described 
for  two-way  chains  and  the  “two-direction  reasoning” 
described  for  one-way  rings. 

The  important  common  property  of  the  four  classes 
we  handle  is  the  fact  that  there  are  no  two  processes 
both  reading  input  from  the  envirponmrnt.  Conse¬ 
quently,  the  processes  can  be  linearly  ordered  accord¬ 
ing  to  the  signals  they  know.  More  architectures  fall 
in  this  category.  For  example,  it  is  possible  to  replace 
a  single  processes  in  a  chain  by  a  group  of  processes 
that  share  the  same  knowladge,  and  adjust  the  synthe¬ 
sis  algorithms  accordingly.  An  exact  characterization 
of  architectures  for  which  the  synthesis  problem  is  de¬ 
cidable  is  an  open  problem. 

6  Discussion 

One  of  the  most  significant  developments  in  the 
area  of  system  verification  over  the  last  decade  is  the 
development  of  algorithmic  methods  for  verifying  tem¬ 
poral  specifications  of  finite-state  systems  [CGP99]. 
This  derives  its  significance  both  from  the  fact  that 
many  synchronization  and  communication  protocols 
can  be  modeled  as  finite-state  systems,  as  well  as  from 
the  great  ease  of  use  of  fully  algorithmic  methods.  A 
frequent  criticism  against  this  approach,  however,  is 
that  verification  is  done  after  significant  resources  have 
already  been  invested  in  the  development  of  the  pro¬ 
gram.  Since  systems  typically  contain  errors,  verifica¬ 
tion  simply  becomes  part  of  the  development  process. 


The  critics  argue  that  the  desired  goal  is  to  use  the 
specification  in  the  system  development  process  in  or¬ 
der  to  guarantee  the  design  of  correct  systems.  This 
is  exactly  what  synthesis  algorithms  do.  Despite  this 
criticism,  synthesis  tools  are  not  as  popular  in  the  in¬ 
dustry  as  verification  tools.  There  are  several  reasons 
for  that:  the  scope  of  synthesis  algorithms  has  been 
quite  limited,  their  complexity  is  high,  and  they  do  not 
always  produce  practical  systems,  where  practicality 
is  measured  in  a  variety  of  ways,  such  as  optimality 
(say,  number  of  latches  required  for  implementing  the 
system  in  hardware,  or  number  of  messages  needed  to 
be  passed  between  the  underlying  processes) ,  testabil¬ 
ity  (the  ability  to  test  hardware  without  access  to  all 
the  internal  variables),  and  the  like. 

In  this  paper,  we  significantly  extended  the  scope 
of  synthesis  to  include  many  practical  applications. 
We  claim  that  the  high  complexity  of  the  problem  is 
not  really  a  serious  objection  to  the  potential  useful¬ 
ness  of  synthesis.  First,  we  note  that  experience  with 
verification  shows  that  nonelementary  algorithms  can 
nevertheless  be  practical,  since  the  worst-case  com¬ 
plexity  does  not  arise  often.  For  example,  while  the 
model-checking  problem  for  specifications  in  second- 
order  logic  has  nonelementary  complexity,  the  model¬ 
checking  tool  Mona  [EKM98,  Kla98]  successfully  ver¬ 
ifies  many  specifications  given  in  second-order  logic. 
Second,  we  argue  that  synthesis  is  not  harder  than 
verification.  This  may  sound  as  a  wishful  thinking,  as 
it  contradicts  the  known  fact  that  while  verification  is 
easy  (linear  in  the  size  of  the  model  and  at  most  ex¬ 
ponential  in  the  size  of  the  specification),  synthesis  is 
hard  (nonelementary).  There  is,  however,  something 
misleading  in  this  fact:  while  the  complexity  of  synthe¬ 
sis  is  given  in  terms  of  the  specification,  the  complexity 
of  verification  is  given  with  respect  to  both  the  speci¬ 
fication  and  the  (much  bigger)  system.  In  particular, 
in  a  distributed  setting,  it  is  shown  in  [Ros92]  that 
there  are  LTL  specifications  ipn,  of  length  0{n),  and 
architectures  with  k  processes  such  that  the  smallest 
strategy  that  realizes  ?/>„  in  the  given  architecture  has 
k-exp{n)  states.  What  is  the  complexity  of  verifying 
whether  a  system  satisfies  ?/;„?  Even  if  verification  is 
linear  in  the  size  of  the  system,  it  would  be  nonele¬ 
mentary  in  n  for  correct  systems,  just  as  the  synthesis 
problem,  since  such  systems  necessarily  have  at  least 
k-exp{n)  states! 

In  summary,  we  believe  that  the  real  challenge  that 
synthesis  algorithms  and  tools  face  in  the  coming  years 
is  mostly  not  that  dealing  with  computational  com¬ 
plexity,  but  rather  that  of  making  automatically  syn¬ 
thesized  systems  more  practically  useful. 
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Abstract 

We  propose  a  natural  subclass  of  regular  languages 
(Alphabetic  Pattern  Constraints,  APC)  which  is  ef¬ 
fectively  closed  under  permutation  rewriting,  i.e., 
under  iterative  application  of  rides  of  the  form  ab  — t 
6a.  It  is  well-known  that  regular  languages  do  not 
have  this  closure  property,  in  general.  Our  result 
can  be  applied  for  example  to  regular  model  check¬ 
ing,  for  verifying  properties  of  parametrized  linear 
networks  of  regular  processes,  and  for  modeling  and 
verifying  properties  of  asynchronous  distributed  sys¬ 
tems. 

We  also  consider  the  complexity  of  testing  mem¬ 
bership  in  APC  and  show  that  the  question  is  com¬ 
plete  for  PSP  ACE  when  the  input  is  an  NFA,  and 
complete  for  NLOGSPACE  when  itisaDFA.  More¬ 
over,  we  show  that  both  the  inclusion  problem  and 
the  question  of  closure  under  permutation  reuniting 
are  PSPACE-complete  when  we  restrict  to  the  class 
APC. 

1  Introduction 

Regular  languages  in  their  various  representations 
(finite  state  automata,  regular  expressions,  monadic 
first  or  second  order  logics,  temporal  logics,  etc)  are 
extensively  used  for  modelling  and  verifying  prop¬ 
erties  of  concurrent  systems.  The  main  reason  is 
that  regular  languages  enjoy  important  closure  and 
decidability  properties.  They  were  used  for  mod¬ 
elling  behaviors  of  systems  in  form  of  sets  of  compu¬ 
tational  sequences,  often  modulo  some  abstraction 
relation  [6,  14,  23].  Recently,  regular  model  check¬ 
ing  was  proposed  as  a  technique  of  symbolic  rep¬ 
resentation  of  sets  of  configurations  in  the  analysis 


of  infinite  state  systems  like  pushdown  automata, 
fifo-channel  systems,  and  parametrized  networks  of 
processes,  see  e.g.  [1,  3,  4,  5,  11,  19,  24].  A  fun¬ 
damental  problem  which  appears  in  all  these  areas 
is  then  the  following  one:  Given  a  regular  language 
L  and  a  relation  TZ  on  sequences  given  either  by  a 
transducer  or  a  rewriting  system,  we  want  to  com¬ 
pute  -  if  possible-  the  set  77*  (L),  which  is  the  77- 
closure  of  L  (77*  denotes  the  reflexive,  transitive 
closure  of  77).  Since  unrestricted  rewriting  systems 
have  full  computational  power,  we  have  to  impose 
restrictions  on  the  rewriting  rules  and  on  the  reg¬ 
ular  languages  we  consider,  in  order  to  be  able  to 
compute  77* (L).  In  this  paper  we  consider  permu¬ 
tation  rewriting  rules  of  the  form  ab  — t  6o,  where 
a,  6  are  letters  of  a  given  alphabet  S.  Such  rewrit¬ 
ing  rules  are  usually  called  semi-commutation  rules 
in  Mazurkiewicz  trace  theory  [7].  Our  primary  goal 
is  to  determine  a  suitable  subclass  of  regular  lan¬ 
guages  for  which  we  can  effectively  compute  the  77- 
closure,  for  any  semi-commutation  rewriting  system 

77. 

The  problem  of  computing  the  closure  of  a  lan¬ 
guage  under  a  semi-commutation  rewriting  systems 
appears  naturally  in  several  areas.  For  instance, 
partial-order  reduction  methods  [9,  17,  22]  applied 
in  traditional  model-checking  rely  on  the  fact  that 
the  property  we  want  to  verify  does  not  distinguish 
different  linearizations  of  the  same  partial  order. 
This  allows  to  perform  an  improved,  reduced  ex¬ 
ploration  of  large  systems.  In  the  simplest  setting, 
a  partial-order  property  means  that  the  property  is 
closed  under  partial  commutation  rules,  i.e.,  (sym¬ 
metric)  rules  of  the  form  ab  ba,  meaning  that  two 
actions  a  and  6  are  causally  independent.  However, 
it  is  often  much  more  convenient  to  express  a  prop- 
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erty  (or  its  negation)  as  a  set  of  behaviors  (or  bad 
behaviors),  regardless  of  all  possible  interleavings 
between  independent  actions.  Therefore,  if  a  given 
property  is  not  a  partial-order  property,  then  we 
can  first  compute  its  closure  The  interest  in 

doing  this  is  that  closing  (j)  is  in  general  much  less 
expensive  than  a  full  exploration  of  the  system. 

In  the  context  of  regular  model  checking  [5,  ll, 
19],  a  set  of  configurations  is  represented  as  a  regu¬ 
lar  language  and  the  actions  of  a  system  arc  mod¬ 
eled  as  a  rewriting  system  U.  Then,  the  verification 
problem  amounts  to  compute  the  7?.-closure  7?.*(L) 
for  a  given  set  of  initial  configurations  L.  This  al¬ 
lows  for  instance  to  analyze  parameterized  systems 
with  arbitrarily  many  identical  finite  state  processes 
which  are  connected  linearly.  Here,  a  configuration 
is  a  sequence  of  control  states  of  individual  pro¬ 
cesses,  the  ?-th  element  of  the  sequence  being  the 
state  of  the  ?-th  process.  Thus,  sets  of  configura¬ 
tions  of  arbitrary  lengths,  corresponding  to  systems 
with  arbitrary  number  of  processes,  are  de.scribed 
by  a  regular  language.  This  allows  a  uniform  veri¬ 
fication,  i.e.,  for  any  number  of  processes.  In  proto¬ 
cols  based  on  information  exchange  between  neigh¬ 
bors  (e.g.,  token  exchange,  mutual  exclusion,  leader 
election),  certain  transitions  can  be  modeled  by  semi¬ 
commutation  rewrititig  rules  of  the  form  ah  ha. 
Being  able  to  compute  the  7v-closure  'R.'{L)  allows 
for  instance  to  compute  the  effect  of  meta-trausitious 
corresponding  to  the  semi-commutation  rewriting 
rules.  Take  as  an  example  a  simple  mutual  exclu¬ 
sion  protocol,  where  linearly  ordered  proce.sses  can 
exchange  a  token  which  gives  the  right  to  enter  a 
critical  section.  Suppose  that  the  state  of  a  pro¬ 
cess  is  1  if  it  owns  the  token,  and  0  otherwise.  The 
initial  configuration  is  then  the  regular  cxpre.s.sion 
10*  (note  that  the  number  of  proce.sses  is  not  fixed). 
An  (abstract)  transition  rule  of  the  system  can  be 
represented  by  the  semi-commutation  one-rule  .sys¬ 
tem  Tv  =  {10  — >  01}.  We  can  now  compute  the 
reachable  set  of  configurations  Tc  *  (10*)  =  0*10*  and 
check  for  instance  that  the  intersection  with  the  set 
of  bad  configurations  (0  +  1)*1(0  -)-  1)*1(0  1)*  is 

empty. 

Thus,  given  a  regular  language  L  and  a  semi- 
commutation  relation  Tv,  we  want  to  compute  the 
reflexive,  transitive  closure  Tl*(L).  However,  it  is 
not  hard  to  see  that  semi-commutation  rewriting 
does  not  preserve  regularity.  In  our  setting  we  would 
like  to  have  a  subclass  of  regular  languages  which  is 
effectively  closed  under  several  operations,  such  as 


union,  interscrlion  and  semi-commutation  rewrit¬ 
ing.  Closure  under  these  operations  allows  us  to 
perform  automatically  a  sequence  of  oi)erations  as 
required  for  exarnjfie  in  the  iterative  fixed  point 
computations  of  regular  model  checking.  Clearly, 
we  want  a  subcla.•>^i  of  regular  languages  with  a  de¬ 
cidable  membership  problem.  The  solution  pro¬ 
posed  by  this  j)aper  is  the  cla.ss  of  Alphabetic  Pat¬ 
tern  Constraints  (.\PC),  which  appears  naturally  in 
many  contexts  of  verification  of  concurrent  systorn.s. 
APC'  corresponds  to  finite  unions  of  languages  of 
the  form  IloUiE}  •  ■  where  every  5],-  denotes 

a  subset  of  the  alifiiabet  E  and  every  n,-  G  S  denotes 
a  single  letter.  For  instance,  the  regular  expressions 
in  the  token  ring  example  above  are  APC  expres¬ 
sions.  .'VPCs  can  be  used  for  example  for  (negated) 
safety  pro])erties  expressing  the  pre.sence  of  patterns 
within  comjmtations  or  configurations,  such  as  re¬ 
quired  for  mutual  exclusion.  The  class  of  APCs  ac¬ 
tually  corresponds  to  the  S2-level  of  the  c|uantificr- 
alternation  hierarchy  of  the  first-order  logic  of  .se¬ 
quences  [21],  We  show  that  this  class  satisfies  all 
the  closure  j^roperties  stated  above.  In  ])articular, 
our  first  main  result  is  that  APCI  is  closed  under 
setni-commntat ion  rewriting  and  we  jn-ovide  an  ef¬ 
fective  algorithm  that  com|)ut,cs  the  closure  T\.*(L), 
given  a  semi-commutation  .system  Tv.  and  an  APC 
languagr- 

For  regular  model  checking  we  considc'r  also  cir¬ 
cular  semi-commut.al  ion  r('writing,  Inflced,  t  he  sim¬ 
plest  interconnection  topology  in  distributed  com- 
putiug  is  the  ring  topology.  A  (parameterized)  con¬ 
figuration  corresponds  then  to  a  circular  word,  i.e.  a 
word  .rj  ■■■.»'„  with  tin'  understanding  that  j'l  fol¬ 
lows  Idiis  means  that  .r,  ■■■x„  and  its  conju- 

gatid  words  .rf.,rk  +  ]  ■  ■  -.I'nXi  ■  ■  -Xk-i  represent,  the 
same  configuration.  1  bus,  the  set  of  configurations 
of  a  ring  network  is  a  set  of  words  L  which  is  closed 
under  conjugacy,  i.e.  L  =  Conj(/,).  For  instance,  for 
the  loken  Ring  Protocol  the  set  of  initial  configu¬ 
rations  on  a  ring  is  Conj(10*)  =  0*10*.  Our  second 
main  result  shows  that  for  any  semi-commutation 
rewriting  sy'stem  Tv.,  the  circular  Tv-closure  (Conj  o 
Tv  *)*(b)  of  any  I  anguage  L  C  H*  can  be  computed 
as  long  as  the  reflexive,  transitive  closure  Tx."  [L]  is 
conquitable.  hbr  this  we  show  that  (ConjoTv  *  )*  (b)  = 
(Conj  oTv.‘)"l^l(b).  This  implies  that  for  each  APC 
language  I.  the  circular  T?.-closurc  (Conj  oT^.*)*(b) 
is  in  APC  and  can  be  effectively  comjnited. 

In  the  last  part  of  this  paper  we  establish  com¬ 
plexity  bounds  for  basic  problems  concerning  the 
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class  of  APC  languages.  We  show  that  deciding 
whether  a  regular  language  belongs  to  APC  is  com¬ 
plete  for  PSPACE  when  the  language  is  given  by 
a  non-deterministic  automaton,  respectively  com¬ 
plete  for  NLOGSPACE,  when  the  input  is  a  de¬ 
terministic  automaton.  Moreover,  we  show  that 
testing  whether  an  APC  language  is  closed  under 
a  semi-commutation  rewriting  relation,  as  well  as 
the  inclusion  problem  for  APC,  are  both  PSPACE- 
complete  problems.  These  results  suggest  that  APC 
is  as  “hard”  as  the  whole  class  of  regular  languages, 
which  means  in  some  sense  that  APCs  are  expres¬ 
sive  enough  for  specifying  interesting  properties.  It 
is  also  interesting  to  note  that  APCs  correspond  to 
the  smallest  level  in  the  quantifier-alternation  hi¬ 
erarchy  of  first-order  logic  which  has  this  “hard¬ 
ness  property”.  Indeed,  languages  in  Sj  and  Hi 
correspond  respectively  to  upward  and  downward 
subword-closed  sets.  For  example,  Hi  is  precisely 
the  class  SRE  [1],  for  which  it  can  be  shown  that 
inclusion  can  be  checked  in  polynomial  time. 

Related  work:  Problems  related  to  closure  of  lan¬ 
guages  under  semi-commutations  have  been  studied 
in  the  community  of  trace  theory  (see  e.g.  chap¬ 
ter  12  in  [7]  for  a  survey).  However,  the  prob¬ 
lems  addressed  here  and  our  results  have  a  differ¬ 
ent  flavor.  Our  aim  is  to  identify  subclasses  of 
regular  languages  which  are  closed  under  all  semi¬ 
commutation  rewriting  relations,  whereas  classical 
results  of  trace  theory  aim  at  providing  for  a  given 
semi-commutation  relation  77  sufficient  conditions 
on  regular  languages  L  ensuring  that  the  77-closiire 
of  L  remains  regular.  Moreover,  these  conditions 
on  the  languages  always  depend  on  the  relation  77. 

APC  languages  have  been  intensively  studied  in 
logic  and  algebra.  As  mentioned  above,  they  corre¬ 
spond  to  the  S2-level  of  the  quantifier-alternation 
hierarchy  of  first  order  logic,  i.e.,  to  formulas  of  the 
form  where  </>  is  quantifier-free.  The  class 

APC  has  also  an  algebraic  characterization,  it  corre¬ 
sponds  to  level  3/2  of  Straubing’s  concatenation  hi¬ 
erarchy  of  star-free  sets.  Moreover,  it  is  the  largest 
hierarchy  level  known  to  be  decidable  [18]. 

The  complexity  of  deciding  whether  a  regular 
w-language  is  closed  under  commutation  rewriting 
was  considered  in  [16,  20].  Several  works  on  regular 
model  checking  deal  with  the  problem  of  computing 
the  closure  of  a  regular  language  under  a  rewriting 
system  [2,  5,  8,  10,  19].  However,  the  techniques 
proposed  in  these  papers  are  not  complete,  in  gen¬ 


eral.  Moreover,  they  do  not  cover  the  case  of  semi¬ 
commutation  rewriting. 

2  Alphabetic  Pattern 
Constraints 

In  this  section  we  define  the  class  of  Alphabetic  Pat¬ 
tern  Constraints  (APC)  and  show  that  APC  is  closed 
under  union,  intersection  and  conjugacy,  but  not 
under  complementation. 

Definition  2.1  LetT,  he  a  finite  alphabet.  An  atomic 
expression  over  E  is  either  a  letter  a  ofT,  or  a  star 
expression  {ai-\-a2-{--  ■  ■+a„)* ,  where  ai,a2, ...  ,a„  £ 
S.  The  set  of  star  expressions  is  denoted  by  S'(S). 

A  product  p  over  S*  is  a  (possibly  empty)  con¬ 
catenation  €162  ■  ■  -  Cn  of  atomic  expressions  ei , . . .  , 
Cn  over  E.  We  use  e  to  denote  the  empty  product. 

An  Alphabetic  Pattern  Constraint  (APC)  over 
E*  is  an  expression  of  the  form  Pi  +  ■  ■  ■-\-pn,  where 
pi,. . .  ,p„  are  products  over  S* ,  By  APC(E)  we  de¬ 
note  the  set  of  regular  languages  described  by  some 
APC  over  E* . 

In  the  rest  of  the  paper  we  will  not  distinguish 
between  a  regular  expression  and  the  language  that 
it  defines.  However,  the  input  for  our  algorithms  in 
Sections  3,  5  will  be  an  APC  expression. 

It  can  be  easily  noted  that  the  class  of  APCs 
is  not  closed  under  complementation.  Consider  for 
example  the  alphabet  E  =  {a,  6}  and  the  APC  lan¬ 
guage  E*aaE*  -f  E*66E*  -|-  6E*  -|-  E*a.  It  is  not  dif¬ 
ficult  to  check  that  its  complement  (ab)*  does  not 
belong  to  APC. 

Let  us  introduce  some  notations  which  will  be 
used  in  the  analysis  of  operations  on  APCs.  Let  p  = 

Cl  •  •  -  e^  be  a  product,  then  the  length  ofp,  denoted 
l(p)  =  n,  is  the  number  of  atomic  expressions  in 
p.  Let  e  =  YliPi  be  an  APC  expression,  then  the 
length  of  e  is  defined  as  /(e)  =  max,-  l{pi).  The  size 
of  an  expression  is  the  sum  of  the  lengths  of  its 
products.  For  a  language  L  we  denote  by  a(L)  the 
set  of  letters  of  E  appearing  in  L.  As  usual,  \L\ 
denotes  the  cardinality  of  L.  For  a  string  w  G  E* 
and  a  letter  a  G  E,  we  denote  by  |tt’|a  the  number 
of  occurrences  of  a  in  in. 

We  recall  that  two  words  x  and  y  G  E*  are  called 
conjugated  if  x  =  uv  and  y  —  vu  for  some  it,  v  G 
E*.  For  a  language  L,  we  denote  by  Conj(L)  the 
set  {«?;  G  E*  |  nu  G  L}  of  conjugates  of  words 
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from  L.  For  a  class  of  languages  C  to  be  closed 
under  conjugacy  we  require  that  L  £  C  implies  that 
Conj(L)  G  C. 

We  conclude  this  section  by  stating  some  straight¬ 
forward  closure  properties  of  APC.  The  proofs  are 
not  difficult  and  can  be  found  in  the  full  version  of 
the  paper. 

Proposition  2.1  The  class  APC  is  closed  under 
union,  intersection  and  conjugacy. 

Remark  2.1  While  union  and  conjugacy  are  poly¬ 
nomial  operations,  computing  the  intersection  of  two 
APC  languages  yields  an  expression  of  exponential 
size.  The  worst-case  is  indeed  exponential,  as  shown 
by  the  following  example.  Consider  the  products 
p„  =  h*{ah*y^  and  g„  =  (a*fe)"a*  each  of  size  2n  +  l. 
Then  {w  G  (a  +  6)*  |  |u)|a  =  |u>|{,  =  n}  =  p„  Og,, 
is  a  finite  set  with  the  property  that  every  APC  ex¬ 
pression  for  Pn  r\qn  is  of  exponential  size. 

3  Semi-Commutation  Rewrit¬ 
ing  and  APC 

Semi-commutations  are  a  natural  way  of  expressing 
causal  independence  in  concurrent  systems  in  an  al¬ 
gebraic  way.  The  original  notion  was  i)roi)osed  in 
the  late  70’s  by  Mazurkiewicz  [12]  for  the  semantics 
of  Petri  nets.  Mazurkicwicz  traces  and  semi-traces 
are  a  model  of  true  concurrency  with  nice  algorith- 
mical  pro])erties,  which  can  be  exploited  for  auto¬ 
matic  verification  methods. 

A  semi-commutation  relation  Tv.  defined  over  an 
alphabet  E  of  actions  is  an  irrcflexive  binary  rela¬ 
tion,  i.c.,  a  subset  of  S  x  E  \  {(o,o)  |  a  G  S}.  The 
idea  is  that  two  actions  a,b  with  (a,b)  G  Tv.  are 
(partially)  causally  independent,  in  the  sense  that 
we  can  rewrite  ab  into  ha  in  every  context.  In  many 
cases  the  relation  P.  is  asymmetric,  for  instance  in  a 
producer-consumer  model  we  may  rewrite  cp  — >  pc. 
but  not  the  other  way  round. 

It  is  not  difficult  to  see  that  semi-commutation 
rewriting  does  not  preserve  regulairty.  Consider  for 
example  the  set  L  =  {ab)"  and  the  semi-commutation 
system  Tv.  =  {6a  — >•  a6}.  Then,  Tv*(L)  is  the  (non- 
regular)  set  of  all  words  having  the  same  number  of 
o’s  and  6’s,  and  such  that  all  their  prefixes  contain 
at  least  as  many  a’s  as  6’s.  Therefore,  we  cannot 
hope  to  represent  the  relation  Tv.*  by  a  finite  trans¬ 
ducer,  in  general. 


We  a.ssociate  with  each  semi-commutation  rela¬ 
tion  P  a  rewriting  relation  pn  C  T,*  x  T,* ,  which  is 
defined  by  {iv,w')  G  p-jz  if  there  exist  wi,W2  €  E* 
and  a,  6  G  E  such  that  (a,  6)  £P,w=  w\abw2, 
and  w'  —  wibaw2.  As  usual,  we  denote  by  p^  the 
reflexive,  transitive  closure  of  pn.  For  a  language 
L  C  E*,  we  denote  its  P-closurt  {v  G  E*  j  3m  G 
L,(M,M)Gp;^}byT^*(L). 

The  notation  of  semi-commutations  can  be  ex¬ 
tended  to  sets  by  letting  for  each  subsets  X,  Y  C  E: 

(A',  Y)  £PY  X  xY  CP. 

Let  T?  be  a  semi-commutation  relation,  then  we  de¬ 
note  by  Sn  the  value 

Sn  —  max{|y''|  |  A  C  E  such  that  (a,  Y)  G  7^} . 

Wc  will  assume  throughout  the  paper  that  P  ^ 
thus  Jt;  >  0. 

Our  first  main  result  is  stated  in  the  theorem 
below.  The  remaining  of  this  section  consists  in 
describing  the  algorithm  underlying  Theorem  3.1. 
Several  proofs  arc  omitted  and  can  be  found  in  the 
full  version  of  the  paper. 

Theorem  3.1  For  each  .APC  expression  L,  the  P- 
closurc  P"{L)  belongs  to  APC  and  can  be  computed 
effectively.  Moreover,  the  length  of  the  computed 
expression  is  in  CT(((57j  -t- 

Since  L  G  APC(E)  is  a  finite  union  of  prod¬ 
ucts.  its  closure  P’(L)  is  the  union  of  closures  of 
its  products.  Hence,  it  suffices  to  show  how  to  com¬ 
pute  effectively  P"(p)  for  a  given  product  p.  For 
this  we  u,se  the  Tv.— shuffle  operation  defined  be¬ 
low.  The  idea  is  to  compute  Tv.*(ei  recur¬ 

sively,  i.e.,  computing  first  P‘{e2  ■■■£„)  and  using 
that  Tv‘(fi)  =  Cl.  The  recursive  step  means  that 
we  need  to  compute  P.‘{eL),  for  an  Tv.-closed  APC 
expression  L  and  an  atomic  expression  e,  an  oper¬ 
ation  which  will  be  performed  also  recursively.  For 
our  computations  we  need  the  following  notations: 

Definition  3.1  LetP  be  a  semi-commutation  rela¬ 
tion.  Given  two  words  x  and  y  ofE",  the  P— shuffle 
of  X  and  y,  denoted  by  x  IIJtj  y,  is  the  set  of  words 
of  the  form  aqi/i  •  •  -Xnyn  with  x  =  Xi  ■  ■  -  Xn,  y  — 
y\  ■  ■  Vn-  Vi  G  E*  for  all  I  <  i  <  n  and  such  that 
{Q(xi),Q(yj))  G  P  for  all  j  <  i. 

The  P— shuffle  extends  to  sets  A',  Y  C  E*  by  let¬ 
ting 

X  IUt;  a  =  {x  III7;  y\xe  A,  y  G  A}. 
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Note  that  for  all  x,y  Q.  E*,  we  have  TZ*(xy)  = 
TZ*{x)  IIItj  'R.*{y).  The  next  lemma  shows  how  to 
compute  TZ*(LK)  when  L  and  K  are  already  72.- 
closed. 

Lemma  3.1  Let  L  and  K  be  two  Ti-closed  sets, 
i.e.,  we  suppose  that  we  have  both  W{L)  =  L  and 
TZ*{K)  =  K .  Then  we  have  'R,*(LK)  =  L  III-r  K. 

Since  any  atomic  expression  is  7?.-closed  we  can 
state  the  following  lemma: 

Lemma  3.2  Let  ei ,  eo , . . .  be  atomic  expressions 
and  let  p  =  e^en  ■  ■  ■  Cn  be  a  product,  then  we  have: 

TZ*{p)=ei  UItj  (eo  HItj  EItj  e„)---)). 

By  the  preceding  lemma  we  can  compute  72*  (p) 
recursively.  Lemma  3.3  and  Proposition  3.1  below 
are  the  basic  cases  of  our  algorithm. 

Lemma  3.3  Let  E  be  a  subset  of  S  and  let  o  €  S 
be  a  letter,  then  we  have: 

E*  III 75  a  =  72*(£'*a)  =  E*aE'* , 

where  E'  =  {x  ^  E  \  {x,  a)  G  72.}. 

Example  3.1  Consider  the  product  p  =  {e  +  f  + 
gYd,  and  the  semi-commutation  relation  72]  = 
{(/>  <^))  (l/j  <^)}-  Then  the  previous  lemma  yields 

TA  (p)  =  (e  +  /  +  P)’  m  d  =  (e  +  /  -p  gyd(f  p)* . 

The  next  proposition  is  the  main  technical  result 
needed  for  the  proof  of  Theorem  3.1.  It  shows  that 
the  72-closure  of  the  product  of  two  star  e.xpres- 
sions  belongs  to  APC.  In  particular,  note  that  the 
length  of  the  products  in  the  expression  given  below' 
is  bounded  above  by  a  constant  which  is  polynomial 
in  S  and  72. 

Proposition  3.1  Let  E  and  F  be  two  subsets  ofE, 
then  E*  III 75  F*  =  TZ*{E*F*)  equals 

Y^EAEi  +  FiY  ■■■{E„.+F„rF% 

ivhere  the  sum  is  taken  over  all  subsets  Ei  and  Fi 
of  E  satisfying  the  following  conditions: 

•  9^  EnC---CEiCE, 

•  0  /  Ti  C  •  •  •  C  C  F, 

•  {Ei,  Fj)  G  72  for  all  1  <  J  <  *  <  n. 


Proof.  The  first  equality  can  be  inferred  as  previ¬ 
ously  from  Lemma  3.1  since  E*  and  F*  are  closed 
under  72. 

Let  us  consider  now  the  second  equality.  It  is  ob¬ 
vious  that  E*{Ei+FiY  ■■■{En+F„YF*  C  n*{E*F*), 
whenever  Ei  and  Fi  satisfy  {Ei,Fj)  G  72  for  all 
j  <  i. 

Conversely,  let  w  G  E*  EIt?  F*  =  72*(F*F*). 
We  can  write  w  —  U1V1U2V2  ■  ■  ■  Um.Vm  with  Ui  G 
E* ,Vi  G  F* ,  and  such  that  (a(u,),  a{vj))  G  72  holds 
for  all  j  <  i.  Clearly,  we  can  assume  that  u,-,  vj  e 
for  all  i  ^  1  and  j  ^  m. 

Consider  the  sequences  (Ar,)i<j<„,  (F,)i<i<„  and 
{F^)l<i<n  defined  inductively  by: 

•  ki  =  1,  ki  =  minjj  |  A:,_i  <  j  <  m,Vj  ^ 
F*-i}, 

•  Ei  -  o(u7,,  +  i  ■  ■■Um), 

•  Fi  =  {y  e  F  \  \/x  e  Ei,  {x,  y)  G  72.}. 

By  definition  we  have  Fj+i  C  F,  C  E,  hence  Fi  C 
F,+i  C  F  for  all  i.  Moreover,  {Ei,  Fi)  G  72  holds  for 
all  i,  therefore  {Ei,  Fj)  ElZ  for  all  j  <  i.  Finally,  we 
note  that  ru-.+i  •  G  E*  and  Vk,  ■  •  G 

Ff ,  w’hich  yields  the  result. 

□ 


Remark  3.1  Note  that  the  cardinality  of  Ei  is  at 
most  Stz  ,  since  we  require  that  F\  9  and  {Ei,Fi)  G 
72..  Moreover,  since  there  is  a  strict  inclusion  be- 
tween  the  Ei 's,  the  length  of  the  products  in  the  ex¬ 
pression  for  P.*  {E* F*)  is  at  most  Stz  -I-  2. 

Example  3.2  Consider  the  product  p  =  (a  +  6  -f 
c)*(e-|-  /  -|-p)*,  and  the  semi-commutation  relation 
72-2  =  {(a,  e),  (c,  p),  (6,  e),  (6, /)}.  From  the  proposi¬ 
tion  above  it  follows  that  Pl{p)  =  (a-)-6-|-c)* 
(e-p/-|-p)*  =  {a b c)*  {c -j- g)*  {e f  g)*  {a -\- 
6  +  c)*(a  -h  6  +  e)*(6  +  e  +  /)*(e  +  /  +  p)* . 

We  are  now  going  to  compute  effectively  72*  (p)  = 
72*(eie2  •  ■ -Cn)  and  show  that  it  belongs  to  APC. 
By  Lemma  3.3  and  Proposition  3.1  we  have  shown 
the  result  for  n  =  2.  Suppose  now  that  72*(e2  ■  ■  ■  e„) 
—  fih  ' ' '  fk,  with  fi  denoting  atomic  expres¬ 
sions,  and  let  us  show  that  72*  (eie2  •  •  ■  Cn),  which 
equals  IIItj  (/1/2  ■  •  ■ /jt),  also  belongs  to  APC. 
Thus,  we  only  need  to  compute  ej  IIIt?  (/1/2  ■  ■  •  fn) 
and  to  show  that  it  is  of  the  required  form.  To  do 
this  we  will  distinguish  two  cases,  depending  on  ej 
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beii\g  a  letter  or  a  star  expression.  The  first  case  is 
straightforward: 

Lemma  3.4  Let  a  G  S  and  fi,  ■ .  ■  ,  f,,  be  atomic 
expressions,  then 

a  {fih---fn)  =  '^!h  ■  ■  +  i  ■  f'> 

3 

such  that,  for  all  i  <  j  uw  have: 

•  if  fi  G  5’(S),  then  gi  £  ,S’(E)  wtlh  a(gi)  = 

{x  G  a(/i)  i  {a,x)  G  7^}, 

•  ?/ /,  =  6  G  S  and  (a,  h)  G  Tv,  then  gi  —  b. 

Moreover,  hj  =  fj  when  fj  G  S{H)  and  bj  —  r 
tvhen  fj  G  S. 

Example  3.3  Let  TZ^  be  the  semi-commutation  re¬ 
lation  7v.3  =  {(/),  a),  {h,  e)}.  Then  the  previous  lemma 
implies  that  h  IIIt;,  (o  +  6  +  c)* (a  +  6  +  e )* (6  +  e  + 

/)*  =  a*h{a  +  6  +  c)*(a  +  6  +  e)*(6  +  e  +  /)‘  +  (n  + 
e)*h(a  +  6+  e)*(fe  +  e  +  /)'. 

Tlic  next  proposition  generalizes  Leinnia  3.3  and 
Pro])osition  3.1. 

Propositdon  3.2  Let  Li  and  F  be  two  subsets  ofT,. 
a  G  S  n  letter,  and  L  be  a  language  of  T,’ .  then  we 
have: 

1.  E'  UIt;  {aL)  =  (/-  II].;.  a)(E''  Ilf;?  L). 
where  E'  —  {/;  G  E  \  [b.  a]  G  '/v  }. 

d.  £’*  111k  (F*L)  eepicds 

{E'  mn  F'‘)(E''  lUn  L). 

(E'  .F')ehZ 
E'CE  .F'CF 

Corollary  3.1  Let  E  and  F  be  two  subsets  of'E, 
and  let  L  be  a  language  of  ,  then  E*  111k  {F‘L) 
equals: 

E*(Ei  +  FiriE.  +  F.y  ■  ■  ■  [Eu  +  F,.)*(/f;.  111k  L)  , 

where  the  union  is  taken  over  all  subsets  Ei  and  Fi 
of  S  satisfying: 

.  EkC---CEiCE, 

.  0  ^  Fi  C  .  ■  •  C  F,  C  F, 

•  (Ei,  Fj)  G  Tv  for  all  I  <  j  <  i  <  k. 


Proof.  The  inclnsion  from  right  to  left  is  straight¬ 
forward.  By  Proposition  3.2  it  remains  to  show  that 

(F*  UIk  F'*)(F'*  UIk  L)  C 
^  F*(Fi  +  Fi)*  •  •  ■  (F,  -f  F,)*(F;  111k  L)  , 

whore  F'  C  F  and  F'  C  F  are  subsets  satisfying 
(F',  F')  G  Tv.  This  can  be  obtained  from  Proposi¬ 
tion  3.1  applied  to  E‘  111k  F'*,  by  noting  that  the 
sequence  of  (F,),-  can  be  chosen  such  that  each  F, 
is  maximal  with  the  property  that  (a,  b)  G  Tv.  for  all 
a  G  Ei.b  G  F,.  lienee,  F'  C  Ei  for  all  i  yields  the 
claimed  expression. 

□ 


Example  3.4  Let  Tv..^  he  the  semi-commutation  re- 
lation'R^  =  {{n.e).{c.g).{b,e),  (b,  f),{a.d)}.  Then 
from  the  last  proposition  and  from  eranijile  .3.2  it 
follows  that 

(fl  -h  6  +  c)"  Ul'K.,  (f  +  /  +  !l)‘fi{f  +  = 

(a  +  b  c)‘  (c  +  g)’  (e  +  f  g)' di  f  g)"  + 
(a-\-h-i-c)’(a-\-b-\-c)~(b  +  r-\-f)'{e-\-f+g)"d(f+g)*->r 
(a  b-i-  c)'{a  -b  /;  -f  r)'d(F(f  -f  //)’  . 

I’roposition  3.2  and  ('orollary  .3.1  yield  tin'  ri'- 
ciirsivc  step  for  cominiling  F"  Ill  k  (/i/'j  •  ■  •  f,,)'- 

Proposition  3.3  Lit  E  C  H  and  let  f\ . /„ 

be  atomic  i  .rpressions.  Then  E‘  IIIk  if  \  h  ■  ■  ■  fn) 
equals 

1.  For  a  star  ( .rpre ssion  fi: 

Ef-(f.+f,)-  --(f,+f,)*(f^:  111k  /-■■/.). 

will  re  the  union  is  taken  ore r  all  subsi  ts  F, ,  F/ 
satisfying  F',  +  i  C  Ei  C  F,  0  ^  F;  C  F/^-i  C 
a(/i)  and  (F,,  Fj)  G  Tv.  for  all  j  <  i. 

2.  For  a  single  litter  fi  =  a: 

F’f;(F'*  111k  /-••/.,)■ 

We  can  now  describe  the  algorithm  for  comput¬ 
ing  the  closure  of  an  .4PC  exj^re.ssion  XI  '"i  ' ' ' 
der  a  semi-commutation  rewriting  relation  Tv..  We 
compute  recursively  Tv.*(f  2  ■  •  ■  fn )  =  J2fi  •  •  •  fk-  d’he 
recursive  step  is  given  by  Lemma  3.4,  if  ci  is  a  let¬ 
ter.  Otherwise,  for  Ci  =  F*  we  apply  Proposition 
3.3,  which  is  itself  a  recursive  algorithm.  It  is  easily 
seen  that  each  step  preserves  containment  in  APC. 
This  shows  Theorem  3.1. 
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Remark  3.2  We  note  that  for  a  product  p  of  length 
n  the  length  of  the  products  of  the  expression  com¬ 
puted  for  TZ*  {p)  is  at  most  Moreover, 

since  there  exist  +  |E|  dijferent  atomic  expres¬ 
sions,  it  follows  that  the  size  ofTVtp)  is  at  most 

4  Applications 

As  mentioned  in  the  introduction,  we  can  use  our  re¬ 
sults  for  applying  partial-order  reduction  techniques 
in  model-checking,  even  if  the  original  property  is 
not  a  partial-order  property.  This  idea  can  be  used 
for  example  in  the  validation  of  scenarios  described 
by  High-Level  Message  Sequence  Charts  (HMSC). 
HMSCs  are  a  graphical  specification  language  for 
communications  protocols,  standardized  by  the  ITU 
and  integrated  in  UML.  An  HMSC  scenario  is  a 
partial-order  model  for  asynchronous  fifo  message 
exchange  of  concurrent  processes.  Assume  for  ex¬ 
ample  that  we  have  a  system  S  including  two  pro¬ 
cesses  P  and  Q  and  that  we  want  to  verify  that  P 
cannot  send  more  than  two  messages  to  Q  before 
getting  an  acknowledgement  back  from  Q.  Let  us 
denote  the  set  of  possible  actions  by  E,  the  send 
action  of  P  to  Q  by  s,  the  receive  action  of  Q  from 
P  by  r  and  let  Ep  (resp.  Eg)  denote  events  on 
P  (resp.  on  Q).  Hence,  a  bad  scenario  contains 
for  example  an  occurrence  of  the  sequence  srsr, 
which  means  that  two  messages  have  been  transmit¬ 
ted  from  P  to  Q  without  an  acknowledgement  be¬ 
tween  them.  So,  let  (j)  =  E*srsrE*  be  the  set  of  se¬ 
quences  containing  this  bad  subsequence,  and  sup¬ 
pose  we  want  to  verify  that  an  HMSC  system  S  sat¬ 
isfies  -«p.  Clearly,  is  not  a  partial-order  property, 
since  (p  does  not  contain  for  example  the  sequence 
ssrr.  We  can  consider  the  semi-commutation  rule 
rs  — )•  sr  which  expresses  that  communication  is 
asynchronous.  By  applying  our  algorithm  with  suit¬ 
able  rules  such  as  72.  =  {rs  — >  sr}  we  obtain  the 
partial-order  property  72* 

E*s(E  \  Ep)*r(E  \  (Ep  U  Eg))*s(E  \  Eg)*rE* 

-fE*s(E  \  Ep)*sE*r(E  \  EQ)*rE* . 

Now,  for  verifying  that  S  satisfies  we  can  con¬ 
sider  a  succinct  representation  of  the  system  S,  which 
corresponds  to  the  transition  system  underlying  S 
and  which  is  polynomial  in  the  size  of  the  given 
HMSC  system,  and  then  check  that  S  n72*(<^)  is 
empty.  Since  we  consider  an  72-closed  property,  it 


is  not  necessary  to  compute  the  closure  of  the  sys¬ 
tem  S,  which  is  an  expensive  operation,  and  even 
impossible  in  general  (linearizations  of  HMSCs  are 
not  regular  [13]).  The  same  holds  also  in  the  case  of 
“positive  reasoning” :  for  verifying  that  S  satisfies  a 
property  (p,  it  suffices  to  construct  the  72-closure  of 
<p  and  check  that  S  C  72*  (0). 

Further  examples  showing  that  APC  properties 
occur  naturally  in  the  verification  of  concurrent  sys¬ 
tems  is  the  so-called  “matching  with  gaps”  prob¬ 
lem  in  HMSCs  [15],  which  is  a  kind  of  weak  model¬ 
checking.  Other  examples  from  distributed  comput¬ 
ing  are  negations  of  (some)  safety  properties  when 
APCs  are  used  to  express  bad  patterns  (scenarios) 
like  in  the  examples  shown  above.  Furthermore,  in 
the  context  of  regular  model  checking,  it  turns  out 
that  the  reachability  sets  of  many  infinite-state  sys¬ 
tems  and  parameterized  systems,  including  commu¬ 
nication  protocols  like  the  alternating  bit  and  the 
sliding  window,  and  parameterized  mutual  exclu¬ 
sion  protocols  such  as  the  token  ring,  Szymanski’s, 
Burns’,  or  Dijkstra’s  protocols,  are  all  expressible  as 
APCs.  Being  able  to  compute  the  72-closure  72*  (L) 
for  a  semi-commutation  system  72  allows  us  to  com¬ 
pute  the  effect  of  meta-transitions  corresponding  to 
the  semi-commutation  rules,  and  hence  to  acceler¬ 
ate  the  process  of  computing  the  set  of  reachable 
configurations. 

5  Circular  Rewriting 

In  this  section  we  consider  the  problem  of  comput¬ 
ing  72*  (L)  when  L  consists  of  circular  words.  This 
amounts  to  assume  that  L  is  closed  under  conju- 
gacy,  L  =  Conj(L).  Recall  that  Conj(L)  =  {vu  \ 
uv  G  L}  denotes  the  closure  of  L  under  conjugacy. 
The  question  of  computing  the  72-closure  in  this 
framework  arises  naturally  in  regular  model  check¬ 
ing  when  processes  are  ordered  circularly  in  a  ring. 

Let  72  C  E  X  E  be  a  semi-commutation  relation 
over  E.  We  associate  with  72  the  circular  rewriting 
relation  72c  C  E*  x  E*  defined  as  follows.  For  any 
pair  of  words  x  and  j/  in  E*,  we  define  (*,  y)  G  72c 
if  we  can  write 

uv  G  72* (ar)  and  y  G  'R*[vu) , 

for  some  u,  u  G  E*.  Note  that  the  circular  rewriting 
relation  Tic  is  the  composition  of  the  (rewriting) 
relations  72*  o  Conj  o  72*.  As  usual,  72*  denotes  the 
reflexive,  transitive  closure  of  72c.  For  a  language 
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L  we  denote  by  72-*  (L)  the  circular  TZ-closure  of  L, 
defined  as  the  set: 

71* {L)  =  G  S*  \  3u  £  L  such  that  {u,  v)  £  TZl). 

We  will  show  in  this  section  that  the  circular 
7v.-closure  7i.*{L)  of  any  language  L  (not  neces¬ 
sarily  regular)  can  be  obtained  by  applying  alter¬ 
natively  conjugation  and  permutation  rewriting  a 
finite  number  of  times. 

The  main  result  of  this  section  can  be  stated  as 
follows: 

Theorem  5.1  Let  L  C  S* ,  then  7i‘^{L)  = 

As  a  first  corollary,  we  obtain  the  closure  of  the 
class  APC  under  circular  rewriting. 

Corollary  5.1  Let  L  be  a  APC  expression,  then 
71*  {L)  is  in  APC  and  is  effectively  computable.  The 
length  of  the  expression  computed  for  7l.‘(L)  is  at 
most  {Sr.  + 

Proof.  This  follows  directly  from  7v.'(L)  =7\.c'“''(L)  = 
(7v.*  oConjo'7?.*)-l^l(A),  together  with  and  APC(S) 
being  closed  under  semi-commutation  rewriting  and 
conjugacy  (Theorem  .3.1  and  Proposition  2.1).  □ 

In  t  he  remaining  of  the  section  we  show  Theorem 
5.1.  The  proof  uses  ideas  from  [T][Ch.  .3].  It  gen¬ 
eralizes  (and  simijlifies)  the  proof  given  there  for 
the  case  where  R  is  a  symmetric  relation.  .As  in 
[7]  we  need  a  second  relation  C-r,  called  conjugacy 
relation,  which  is  defined  as  follows  for  x.y  £  IT: 

(.r,  y)  £  C-R  if  3  c  G  11*  such  that  zy  £  7v‘(j-c) . 

Lemma  5.1  R.c  C  C-r  and  C-r  is  reflexive  and  tran¬ 
sitive. 

Proof.  For  the  first  claim  let  x,y  £  S*  be  such 
that  (x,y)  £  Te-c-  By  definition,  there  exist  u  and 
V  G  S*  such  that  uv  £  'R*(x)  and  y  £  R.‘‘(vu),  then 
uy  £  R.'fuvu)  C  R.*{xu]. 

For  the  second  claim  it  is  easy  to  sec  that  C-r 
is  reflexive.  Let  now  x,y,z  £  S*  be  such  that 
(x,  y)  £  C-R  and  {y,  r)  G  C-r.  Let  then  u>  and  t  £  T,* 
be  such  that  ivy  £  7Z*{xw)  and  tz  £  R*{yt).  Then, 
{url)z  £  7Z*[wyt)  C  7i*[x{ivt)),  which  shows  that 
{x,z)£C.n.  □ 


Theorem  5.2  Let  x,y  £T,* .  Suppose  that  z  £  T,* 
is  such  that  zy  £  7Z*(xz).  Then  there  exist  rn  < 
2|E|,  and  words  to,...  ,tm  €  S*  satisfying  the  fol- 
loiving  properties: 

•  to  -  ■  -tm  £  71*  [x], 

•  y  £  7Z* (tm  ■  ■  -  to), 

•  {Q{tj),Q(ti))  £  71  for  all  j  >  i-\-\. 

Proof.  We  only  sketch  the  proof  idea.  We  suppose 
that  zy  £  7i*{xz).  Then  a  combinatorial  lemma 
(Levi’s  Lemma  for  semi-traces,  see  [7][Ch.  12])  im¬ 
plies  that  there  exist  words  u,v,p,q  G  53*  such 
that  up  £  7Z*{x),  qv  £  R.*(z).  z  £  R.*{uq),  and 
y  £  7?.* (pc),  such  that  (a(p),Q(q))  £  R..  Since 
qv  £  R.'{uq)  and  |u|-f  I?]  <  |j:|-l-|r|  if  x  is  nonempty, 
we  can  apply  induction  on  lo-l  -f  |z|  in  order  to  ob¬ 
tain  the  result.  □ 


Corollary  5.2  7?.*  = 

Proof.  First,  we  show  that  C-r  C  Let  {x,y)  £ 

Cr  with  zy  £  R.'{xz)  for  some  ..  Let  to, .  . .  ,tp  be 
as  stated  in  the  Theorem  5.2.  It  suffices  to  show 
that  (to  ■  ■ -tp.tp  ■  ■ -to)  £  This  is  due  to  the 

fact  that  (iofp  ■  ■  ■ti,fp  ■  ■  -to)  £  7\c  and  that  for  each 
/  G  { 1 . . . .  ,  p  -  1 ) : 

(to  •  •  •  Ifp  ■  ■  -  li+iCo  ■  ■  -  ti-itp  ■  ■  ■  /,)  G  Tv.f 

since 

to  ■  ■  -ti-itp  ■  ■  -ti  £  R‘(tp  ■  ■  ■ti.^.lto  ■  ■  -ii). 

Indeed,  to  obtain  the  word  fp  •  •  •  ■  f;  from 

■  L  +  i  to  -  f;  by  applying  Tv.,  we  start  by  moving 
/,  +  ]  from  left  to  right,  then  /,+2i  etc. 

From  Lemma  5.1  we  obtain  that  Tv*  C  C-r.  Since 
C-R  C  7^.7^"*^  we  conclude  finally  that  R.'  =  7v.c^‘*L 
D 


6  Complexity  results 

In  this  section  we  consider  basic  comj^lexity  quc.s- 
tions  concerning  languages  in  APC.  First,  we  ob¬ 
tain  that  both  the  problem  of  testing  inclusion  (or 
universality)  and  the  problem  of  deciding  whether  a 
language  in  APC  is  closed  under  a  semi-commutation 
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relation  are  PSPACE-complete.  Clearly,  these  are 
basic  operations  when  we  want  to  perform  model¬ 
checking  on  APC  properties.  For  example,  we  might 
ask  whether  an  APC  property  is  covered  by  an¬ 
other  property  4)2,  i.e.,  whether  C  (jfo-  The  test 
for  72^-closure  is  important  when  we  want  to  know 
whether  a  property  (f)  is  already  closed  under  semi¬ 
commutation  rewriting,  since  it  avoids  computing 
the  72^-closed  expression  which  has  products  of  ex¬ 
ponential  size.  Moreover,  in  the  fixed  point  compu¬ 
tations  of  regular  model  checking  we  check  whether 
we  have  already  computed  the  set  of  all  reachable 
configurations  by  an  equality  test. 

For  lack  of  space  we  omit  all  proofs  of  the  section 
and  refer  to  the  full  version  of  the  paper. 

Theorem  6.1  The  following  problem  is  PSPACE- 
complete: 

Input:  An  APC  expression  L  overYA. 

Question:  Is  L  =  Y*  ? 

Corollary  6.1  Deciding  inclusion  for  languages  in 
APC  is  PSPACE-complete. 

Theorem  6.2  The  following  problem  is  PSPACE- 
complete: 

Input:  An  APC  expression  L  over  Y  and  a  semi- 
commutation  rewriting  system  E.  C  Y  x  Y. 
Question:  Does  'R’’ [L]  =  L  hold? 

Next,  we  show  that  the  membership  problem  for 
the  class  APC  is  PSPACE-complete  when  we  are 
given  a  non-deterministic  automaton.  The  same 
question  is  NLOGSPACE-complete,  hence  polyno¬ 
mial,  when  the  input  is  a  deterministic  automaton. 
These  two  last  results  rely  on  the  characterization 
of  languages  in  APC  by  positive  varieties  given  in 
[18].  It  is  worthnoting  that  the  algorithm  obtained 
in  [18]  has  complexity  in  0(|A|  •  2l^l),  i.e.,  it  is  lin¬ 
ear  in  the  size  of  the  automaton  and  exponential  in 
the  size  of  the  alphabet.  Theorem  6.4  below'  im¬ 
proves  the  result  by  giving  an  algorithm  which  is 
polynomial  in  both  |A.|  and  |E|. 

Theorem  6.3  Deciding  ivhether  a  regular  language, 
given  by  a  regular  expression  or  a  non-deterministic 
automaton,  is  an  APC  language,  is  a  PSPACE- 
complete  problem. 

Theorem  6.4  Deciding  whether  a  regular  language, 
given  by  a  deterministic  automaton,  is  an  APC  lan¬ 
guage,  is  an  NLOGSPACE-complete  problem. 


7  Conclusion 

We  have  identified  a  class  of  regular  expressions 
which  appears  naturally  in  many  contexts,  in  par¬ 
ticular  in  modeling  and  verifying  concurrent  sys¬ 
tems  and  in  regular  model  checking,  and  we  have 
studied  its  closure  properties  and  its  complexity. 

In  particular,  we  have  shown  that  the  class  of 
APCs  is  effectively  closed  under  semi-commutation 
rewriting  (for  any  such  rewriting  system).  As  far 
as  we  know,  this  is  the  first  time  that  a  non-trivial 
subclass  of  regular  properties  has  been  shown  to  en¬ 
joy  this  property.  As  mentioned  previously,  APCs 
correspond  to  level  3/2  in  Straubing’s  concatena¬ 
tion  hierarchy,  and  to  level  S2  in  the  quantifier- 
alternation  hierarchy  of  first-order  logic.  It  is  inter¬ 
esting  to  note  that  this  is  the  largest  class  in  both 
hierarchies  which  is  closed  under  semi-commutation 
rewriting.  However,  this  raises  the  question  of  find¬ 
ing  other  subclasses  of  regular  languages  which  have 
the  same  closure  properties  as  APC.  A  minimal 
requirement  on  such  classes  is  that  Parikh  images 
of  their  languages  should  correspond  to  Presburger 
formulas  where  linear  constraints  do  not  involve 
more  than  one  free  variable.  It  can  be  seen  for  in¬ 
stance  that  this  property  does  not  hold  for  (ab)" 
whereas  it  holds  for  all  APC  languages. 

Another  novel  contribution  of  our  paper  is  to 
show  that  ,4PCs  are  also  closed  under  circular  semi¬ 
commutation  rew'riting.  Actually,  our  proof  holds 
for  any  class  of  languages  w'hich  is  effectively  closed 
under  semi-commutation  rewriting  and  conjugacy, 
since  we  show'  that  for  any  system  R,  computing 
the  circular  Tv-closure  reduces  to  a  finite  iteration 
(two  times  the  size  of  the  alphabet)  of  the  com¬ 
putation  of  the  Tv.-closure  in  alternation  with  con¬ 
jugacy.  Our  result  on  the  closure  of  APC  under 
semi-commutation  rewriting  can  be  applied  in  mod¬ 
eling  and  verifying  automatically  parametrized  net¬ 
works  having  a  ring  topology,  where  information  is 
e.xchanged  between  neighbors.  Then,  an  interest¬ 
ing  problem  is  to  extend  this  work  to  similar  sys¬ 
tems  with  other  kinds  of  topologies  such  as  trees 
and  grids. 
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Abstract 

A  temporal  logic  query  checker  takes  as  input  a 
Kripke  structure  and  a  temporal  logic  formula  with  a 
hole,  and  returns  the  set  of  propositional  formulas  that, 
when  put  in  the  hole,  are  satisfied  by  the  Kripke  struc¬ 
ture.  By  allowing  the  temporal  properties  of  a  system 
to  be  discovered,  query  checking  is  useful  in  the  study 
and  reverse  engineering  of  systems. 

Temporal  logic  query  checking  was  first  proposed 
in  [2].  In  this  paper,  we  generalize  and  simplify  Chan’s 
work  by  showing  how  a  new  class  of  alternating  au¬ 
tomata  can  be  used  for  query  checking  with  a  wide  range 
of  temporal  logics. 


1  Introduction 

As  pointed  out  by  Chan  in  [2],  model  checking  is  as 
often  used  for  understanding  a  design  as  for  verifying 
its  correctness.  One  rarely  begins  the  study  of  a  design 
with  a  complete  specification  in  hand.  Instead,  one 
identifies  a  few  key  properties,  expresses  them  in  tem¬ 
poral  logic,  and  checks  them  against  the  design.  Some 
of  the  properties  usually  fail  to  hold,  so  the  properties 
(and  possibly  the  design)  are  revised  and  rechecked. 
As  this  process  iterates  one  develops  a  more  detailed 
picture  of  the  properties  the  design  satisfies  or  should 
satisfy. 

To  speed  the  process  of  design  understanding,  Chan 
proposed  temporal  logic  query  checking  [2].  Here  one 
works  with  a  temporal  logic  formula  containing  a  place¬ 
holder,  or  hole.  A  query  checker  returns  the  strongest 
propositional  formula  that,  when  put  into  the  hole,  is 
satisfied  by  the  design.  For  example,  given  a  design 
and  the  CTL  query  AGl ,  the  query  checker  will  return 
the  strongest  invariant  of  the  system;  i.e.  the  strongest 
propositional  formula  that  is  satisfied  in  every  state  of 


the  design.  Thus,  a  query  checker  allows  the  mecha¬ 
nization  of  much  of  the  trial-and-error  work  done  while 
analyzing  a  design. 

The  aim  of  this  paper  is  to  extend  and  simplify 
Chan’s  work.  Chan  studied  CTL  query  checking,  and 
was  interested  in  queries  for  which  a  single  strongest 
solution  exists,  called  valid  queries  in  [2].  He  showed 
that  it  is  expensive  to  determine  whether  a  CTL  query 
is  valid,  and  identified  a  syntactic  class  of  CTL  queries 
such  that  every  formula  in  the  class  is  valid.  His  query¬ 
checking  algorithm  works  only  with  queries  in  this 
class.  In  contrast,  we  are  interested  in  all  CTL  queries, 
even  those  that  have  multiple  maximally-strong  solu¬ 
tions.  Furthermore,  we  do  not  restrict  our  attention 
to  CTL.  Our  query-checking  approach  is  defined  for  an 
arbitrary  temporal  logic. 

We  simplify  Chan’s  work  by  showing  that  query 
checking  can  be  accomplished  by  adapting  existing 
model-checking  algorithms.  In  particular,  we  show  how 
to  adapt  the  automata-theoretic  approach  to  model 
checking  of  Kupferman,  Vardi  and  Wolper  [8]  to  solve 
the  query-checking  problem. 

In  the  following  section  of  the  paper  we  define 
the  query-checking  problem  and  compare  it  to  model 
checking.  In  Section  3,  we  present  some  properties  of 
lattices  that  are  central  to  understanding  the  solution 
space  of  query  checking.  In  Section  4,  we  outline  our 
approach  to  query  checking  and  introduce  a  new  class 
of  alternating  automata.  In  Section  5,  we  show  how 
a  query-checking  algorithm  can  be  obtained  for  any 
logic  having  a  translation  to  alternating  automata,  and 
we  describe  the  application  of  this  approach  to  CTL 
queries.  In  Section  6  we  present  some  examples.  Proofs 
of  most  theorems  are  omitted  in  this  extended  abstract. 
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2  Problem  Statement 

In  this  section  we  define  the  query-checking  prob¬ 
lem.  Our  definition  is  relative  to  any  temporal  logic 
that  is  interpreted  on  Kripke  structures  and  that  allows 
atomic  propositions  as  formulas.  We  write  {K,s)  |=  ^ 
if  state  s  of  Kripke  structure  K  satisfies  temporal  logic 
formula  <f>. 

A  query  is  an  expression  obtained  by  replacing  a  sin¬ 
gle  atomic  proposition  in  a  temporal  logic  formula  by 
the  symbol  ?,  which  is  referred  to  as  the  placeholder 
(or  hole)  of  the  query.  Substituting  the  placeholder 
of  a  temporal  logic  query  by  a  propositional  formula 
(i.e.,  a  formula  built  only  from  atomic  propositions 
and  boolean  operators)  yields  a  temporal  logic  formula. 
We  write  for  the  formula  obtained  by  substituting 
propositional  formula  ip  for  the  placeholder  in  query  (j>. 
We  also  accept  temporal  logic  formulas  themselves  as 
queries.  If  0  is  a  temporal  logic  formula,  then  (f>[ij>]  is 
identical  to  4>. 

A  propositional  formula  ■0  is  a  solution  to  a  query 
0,  relative  to  state  s  of  Kripke  structure  K,  if  (A',  s)  |= 
0[0]. 

A  positive  query  is  a  query  0  that  is  monotonic  with 
rcsj)ect  to  its  placeholder:  if  '0i  =>  ij’-y  then  0[0i]  => 
0['02]  (where  =>  denotes  logical  implication).  In  what 
follows  we  consider  only  positive  queries.  With  such  a 
query  it  makes  sense  to  compute  only  maximally  strong 
solutions,  because  from  these  solutions  all  others  can 
be  inferred'.  Formally,  let  PF{P)  stand  for  the  set  of 
proi)ositional  formulas  that  can  be  built  from  a  set  P  of 
atomic  propositions.  The  ordering  <  on  set  PF{P)  is 
defined  as  0i  <  02  iff  0i  02-  Tl'c  resulting  ordered 
set  {PF{P),  <)  is  a  boolean  lattice,  which  we  refer  to 
as  Lp.  For  any  ordered  set  (A,<)  and  D  C  A,  we 
define  min(B)  by  {6  €  15  |  VA  G  B.b'  <  b  ^  b'  =  b}.  A 
subset  B  of  A  is  minimal  if  min(i?)  =  B. 

Definition  1  Let  P  be  a  set  of  atomic  propositions, 
and  let  P'  be  a  subset  of  P.  Let  K  be  a  Krijrke  struc¬ 
ture  containing  state  s,  and  let  0  be  a  query,  both 
defined  over  P.  The  query-checking  problem  is  to  com¬ 
pute  the  set  min{0'  G  PF{P')  \  {K,s)  |=  0[0]}  of 
strongest  solutions  to  0.  ■ 

We  write  [(A',  .s),  0]p< ,  or  [(A',  s),  0]  for  short,  for  the  set 
of  strongest  solutions  to  query  0  relative  to  state  s  of 
Kripke  structure  K  and  set  P'  of  atomic  propositions. 

’Our  restriction  to  positive  queries  does  not  redure  generality. 
Suppose  we  had  a  query  with  a  negated  placeholder.  We  could 
compute  the  solution  set  for  this  query  by  removing  the  negation 
on  the  placeholder,  computing  the  solution  set  for  the  resulting 
query,  negating  each  formula  in  this  set,  and  then  interpreting 
the  result  as  the  set  of  weakest  solutions  to  the  query. 


For  a  query  0  without  a  placeholder,  query  check¬ 
ing  reduces  to  model  checking.  If  (AT,  s)  ^  0,  then 
{K,s)  ^  0[0]  for  all  propositional  formulas  0,  and 
hence  [(A",  s),0]  =  0.  Otherwise  {K,s)  \=  0,  so 
(AT,  s)  0[0]  for  all  propositional  formulas,  and  hence 
[(A',  s),0]  =  {false}.  Since  query  checking  is  a  general¬ 
ization  of  model  checking,  it  is  at  least  as  hard.  Con¬ 
versely,  it  is  easy  to  show  that  query  checking  itself  can 
be  reduced  to  several  model-checking  problems. 

Theorem  2  Given  a  fixed  set  P'  of  atomic  proposi¬ 
tions  and  a  temporal  logic  TL,  the  query-checking  prob¬ 
lem  and  the  model-checking  problem  for  TL  have  the 
same  complexity  in  the  size  of  the  Kripke  structure  and 
in  the  size  of  the  query /formula. 

Proof:  A  naive  query-checking  algorithm  for  solving 
[(A',  s),0]p.  consists  of  enumerating  all  L  =  2^'  '  pos¬ 
sible  solutions  -0,  checking  whether  {K,  s)  |=  0[0]  for 
each  such  0,  and  then  returning  only  the  minimal  ele¬ 
ments  from  that  set.  Query  checking  is  thus  reduced  to 
at  most  2^  model-checking  problems  with  a  formula 
of  length  at  most  |0|  -1-  0(2^^  I).  ■ 

Since  there  can  be  0(2^  ^  )  minimal  solutions  to  a 
query-checking  problem,  parameter  P'  provides  a  way 
to  control  the  complexity  of  query  checking  in  practice, 
by  specifying  the  atomic  proi)ositions  that  will  appear 
in  solutions  computed  for  the  query. 

In  the  remainder  of  this  paper,  we  develop  a 
constructive  algorithm  for  solving  the  query-checking 
problem  that  can  converge  directly  to  its  minimal  so¬ 
lutions,  instead  of  guessing  and  checking  exponcntially- 
many  individual  potential  solutions  one  by  one  as  done 
with  the  above  naive  algorithm. 

We  illustrate  the  query-checking  problem  and  our 
ideas  to  solve  it  by  presenting  examples  of  queries  in 
the  temporal  logic  CTL  [5,  10].  Let  p  range  over  a  set 
P  of  atomic  propositions.  The  abstract  syntax  of  CTL 
is  defined  from  state  formulas  0  and  path  formulas  0 
as  follows: 

0  ::=  P  I  “ip  I  01  A  02  I  01  V  02  I  A0  I  E’lj) 

0  ::=  X<f>  I  01  W  02  I  01  ^  02 

A  CTL  formula  is  a  state  formula.  The  closure  of  a 
CTL  formula  0,  written  cl{4>),  is  defined  as  the  set  of 
all  state  subformiilas  of  0.  The  size  |0|  of  a  formula  0 
is  defined  as  the  number  of  elements  of  c/(0). 

A  CTL  formula  is  interpreted  with  respect  to  a 
Kripke  structure  K  =  {P,  S,  Sq,  A,  L)  where  P  is  a  finite 
set  of  atomic  propositions,  S  is  a  finite  set  of  states,  Sq 
in  S  is  the  initial  state,  A  C  5  x  5  is  a  total  transi¬ 
tion  relation  on  states,  and  L  :  S  — >  2^  is  a  labeling 
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Figure  1.  Example  Kripke  structures  Ki  and  K2 


function  that  maps  each  state  to  a  set  of  atomic  propo¬ 
sitions.  A  path  w  =  Sq,  Si, . . .  of  a  Kripke  structure  is 
an  infinite  sequence  of  states  such  that  G  R 

for  all  i  >  0.  We  write  w*  for  the  ith  state  of  path  w, 
with  the  first  state.  Also,  we  write  paths(s)  for  the 
set  of  all  paths  w  in  K  such  that  w°  is  s. 

Given  a  Kripke  structure  K  —  {P,  S,  Sq,  R,  L),  a 
state  formula  (j)  satisfies  a  state  s  of  K,  and  a  path 
formula  ^  satisfies  a  path  w  oi  K,  according  to  the 
following  inductive  definitions. 


{K,s)  t=p 

clef 

p  G  L{a) 

{K,s)  t=  -ip 

clef 

p  ^  L{s) 

{K, 

s)  1=  01  A  02 

def 

{K,s)  1=  01  and  {K,s 

0  1=  02 

{K, 

S)  1=  01  V  02 

clef 

{K,s)  1=  01  or  {K,s) 

1=  02 

{K,  s)  1=  A0 

def 

Vw  G  paths(s).(A',  w) 

IT 

(K,6)  ^B0 

def 

G  paths(s).(A',  w) 

IT 

-e- 

{K,  w)  \=  Xcj) 

{K,w^)  1=  0 

{K, 

w)  1=  01  B  02 

def 

3i.{K,w^)  [=  02  and 

Vj  <  i.{K,w')  [=  01 

{K, 

w)  \=  4>iU  02 

def 

w')  02  or 

_1L 

• 

V 

m 

The  class  of  CTL  queries  we  allow  are  those  for 

which  negation  is  not  applied  to  the  placeholder.  All 
such  queries  are  positive. 

Consider  the  CTL  query  A{falseUl)  (sometimes 
written  AG?)  and  Kripke  structure  Ki,  which  is  shown 
on  the  left  of  Figure  1.  The  formula  A{false  U  (f)  holds 
if  formula  4>  holds  everywhere  along  all  paths  of  a  struc¬ 
ture.  A  solution  to  the  query  is  therefore  a  maximally- 
strong  propositional  formula  that  holds  everywhere  in 
the  Kripke  structure.  Informally,  the  strongest  solution 
of  true  U  ?  for  the  left  path  in  the  example  is  p  /  g,  and 
strongest  solution  for  the  right  path  is  p  A  -ig.  There¬ 
fore,  the  strongest  solution  that  holds  for  all  paths  is 

p^q- 

Consider  the  same  query  and  Kripke  structure  K2- 
Here  the  strongest  solution  on  the  left  branch  is  p  9^  g 


and  the  strongest  solution  on  the  right  branch  is  p.  The 
strongest  solution  for  both  paths  is  therefore  p  V  g. 

Now,  consider  the  CTL  query  E{trueU?)  (some¬ 
times  written  EF?)  and  Kripke  structure  Ki.  A  solu¬ 
tion  to  this  query  is  a  maximally-strong  propositional 
formula  that  holds  anywhere  in  the  Kripke  structure. 
This  query  on  Ki  has  two  maximally-strong  solutions: 
p  A  -^q  and  g  A  -ip.  The  same  query  evaluated  on  K2 
has  three  maximally-strong  solutions:  p  A  -ig,  g  A  -ip, 
and  p  A  q. 

3  Solutions  to  Queries 

In  model  checking  with  alternating  automata,  con¬ 
junction  and  disjunction  operations  are  performed  on 
truth  values.  In  our  algorithm  for  query  checking,  anal¬ 
ogous  operations  are  performed  on  sets  of  maximally- 
strong  propositional  formulas.  These  operations  are 
defined  as  the  meet  and  join  operations  of  a  lattice.  In 
this  section  we  define  this  lattice  and  show  properties 
of  the  meet  and  join  operations. 

To  begin,  recall  that  we  write  -01  <  02  for  propo¬ 
sitional  formulas  0i  and  02  if  0i  02.  Also,  given 
a  set  P  of  atomic  propositions  we  write  Lp  for  the 
boolean  lattice  {PF{P),  <)  having  as  its  elements  the 
propositional  formulas  built  from  elements  of  P.  The 
left-most  lattice  of  Figure  2  is  Lp,  where  P  contains 
only  the  single  atomic  proposition  p. 

Before  going  directly  to  the  definition  of  a  lattice 
on  sets  of  maximally-strong  propositional  formulas,  we 
will  define  a  related  lattice.  Consider  the  set  of  all  so¬ 
lutions  to  a  query,  not  just  the  minimal  ones.  Because 
our  queries  are  positive,  the  set  of  all  solutions  to  a 
query  is  a  set  of  propositional  formulas  that  is  closed 
under  “going-up”  with  respect  to  <.  In  other  words, 
if  some  propositional  formula  belongs  to  the  the  set, 
then  so  does  every  weaker  formula.  Given  an  ordered 
set  (A,  <)  and  a  subset  B  of  A,  we  define 

TB  {aG  A\3be  B.b<  a} 

A  subset  B  of  A  is  an  up-set  if  |B  =  B.  We  write 
U{A)  for  the  set  of  all  up-sets  of  A.  Lattice  theory  (see 
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Sec.  8.20  of  [6])  tells  us  that  if  A  is  finite  then  U{A)  is 
a  finite,  distributive  lattice,  with  elements  ordered  by 
set  inclusion.  It  is  easy  to  see  that  the  meet  and  join 
operations  of  U{A)  are  just  set  intersection  and  union. 

Given  a  set  P  of  atomic  propositions,  let  L|,  be  the 
lattice  U(PF{P)),  which  is  finite  and  distributive,  but 
not  boolean  (see  Lemma  8.21  of  [6]).  The  middle  lat¬ 
tice  of  Figure  2  is  Lp  for  P  =  {p}.  Each  eleiiKuit 
of  this  lattice  is  a  possible  set  of  solutions  to  a  cpiery 
in  which  the  set  of  atomic  propositions  contains  oidy 
atomic  proposition  p.  Although  not  evident  from  Fig¬ 
ure  2,  lattice  L\,  grows  much  faster  than  Lp  the  set 
P  of  atomic  propositions  grows. 

Each  element  of  L\,  can  be  represented  by  its  min¬ 
imal  elements.  Recall  from  Section  2  that  min(.4) 
stands  for  the  minimal  elements  of  an  ordered  set  .4. 

Proposition  3  Let  {A,<)  be.  an  ordered  set  with 
B,CCA.  Then 

niin{  ]D)  =  min{B) 

rnin[B  U  C)  =  min{min{B)  U  rnin{C)) 

From  L\,  we  get  an  isomorphic  lattice  L'/,'"'  by  ap¬ 
plying  min  to  each  element.  Each  element  of  Up'” 
represents  a  set  of  maximally-strong  propositional  for¬ 
mulas,  i.e.,  a  candidate  set  of  solutions  to  a  query.  The 
ordering  of  L’j'"'  is  derived  from  the  ordering  of  LJ,: 
A  <  B  hi  I/p  if  t-4  C  jB.  Similarly,  the  meet  and  join 
operations  of  L’p"'  (which  we  write  as  and  _y_)  arc 
derived  from  LJ,: 

AA.B  '=  min(TAnTi?) 

AW_B  =*'  min(TAUti?) 

The  right-most  lattice  of  Figure  2  is  L"p"'  for  P  =  [p]. 

Defining  and  _y_  as  the  meet  and  join  operations 
of  a  distributive  lattice  is  helpful  because  we  immedi¬ 
ately  learn  some  properties  of  and  y_ . 


Proposition  4  Let  A,  B,  and  C  be  elements  of  Up'” . 
Then 

A  _A,B  ~  B  A_  A 
A  \lB  =  B  y_  A 
AMBAlC)  =  {AT^B)T:^C 
Ay_(By_C)  =  iA:uB)y_C 
ATL(By_C)  =  (-4Ai?)AL(--lAC’) 

Ay_{B_UC)  =  {Av_B)A{Ay_C) 

It  is  awkward  to  com])ut('  A_LlB  and  Ay_B  using 
the  definitions  of  A  and  y_  diia'ctly  because  tln'y  first 
exi)and  ,4  and  B  to  |.4  and  ]B.  The  following  charac¬ 
terizations  allow  A  and  A  b('  com])uted  directly 
using  minimal  sets. 

Theorem  5  Let  .4  and  B  be  elements  of  Ujl"' ■  Then 

A^B  ~  min{{(i  V  h  |  o  €  .4  aiid  b  £  B}) 
Ay_B  =  ■inin{AuB) 

4  Extended  Alternating  Automata 

Inspired  by  the  automata-theoretic  approach  to 
model  checking  of  [8],  we  j)roi)ose  the  following  ap¬ 
proach  to  query  checking.  Given  a  temi)oral  logic  query 
(f>  and  a  Krij>ke  structure  A',  we  (1)  build  an  alternating 
automaton  representing  0,  (2)  compute  the  product  of 
this  automaton  with  A’,  and  finally  (3)  check  whether 
the  language  accepted  by  the  product  automaton  is 
empty.  A  key  step  in  d(!veloping  this  approach  is  to 
discover  a  kind  of  alternating  antomaton  aj)i)ropriate 
for  representing  a  temporal  logic  query.  In  this  sec¬ 
tion  we  introduce  a  new  type  of  alternating  automata 
for  this  purpose,  which  we  call  extended,  alterna.tincj  a,u- 
tomnta  (E.4A). 

The  novel  aspect  of  alternating  automata  [3]  is  that 
the  transition  function  maps  an  antomaton  state  and 
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Xz  respectively  on  the  right-hand  side  are  replaced  by 
{false},  since  the  state  is  accepting.  Then,  the  values 
for  X2  and  0:3  are  computed  by  applying  the  definition 
of  one  obtains  X2  —  {qf\  ^p}  and  0:3  =  {p  A  -ig}. 
The  algorithm  then  backs  up  to  Xi  and  computes  the 
value  of  Xi,  which  is  [p  ^  q}.  This  value  is  the  solution 
to  the  query  [{Ki ,  Sq) ,  A{false  U  ‘!)]. 

7  Discussion 

We  have  presented  a  general  automata-theoretic  ap¬ 
proach  to  temporal  logic  query  checking.  The  approach 
is  general  in  the  sense  that  if  one  has  a  translation  from 
queries  to  EAA  in  the  sense  of  Theorem  7,  then  check¬ 
ing  nonemptiness  of  the  product  automaton  gives  the 
solution  to  the  query.  For  CTL  we  showed  how  this 
translation  can  be  derived  directly  from  the  transla¬ 
tion  of  CTL  to  alternating  automata.  Translations  for 
queries  in  other  temporal  logics  (such  as  the  modal  mu- 
calculus)  can  be  derived  similarly. 

We  have  defined  EAA  relative  to  an  arbitrary  finite 
lattice,  although  for  query  checking  we  need  only  EAA 
based  on  a  lattices  of  the  form  Lp®".  A  general  defini¬ 
tion  for  EAA  was  chosen  because  it  is  simpler,  and  also 
because  we  can  imagine  other  uses  for  the  more  gen¬ 
eral  form.  For  example,  EAA  could  be  used  for  model 
checking  multi-valued  temporal  logics  [7,  1,  4]. 
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Abstract 

Motivated  by  the  need  to  export  relational  databases 
as  XML  data  in  the  context  of  the  Web,  we  inves¬ 
tigate  the  typechecking  problem  for  transformations 
of  relational  data  into  tree  data  (XML).  The  prob¬ 
lem  consists  of  statically  verifying  that  the  output  of 
every  transformation  belongs  to  a  given  output  tree 
language  (specified  for  XML  by  a  DTD),  for  input 
databases  satisfying  given  integrity  constraints.  The 
typechecking  problem  is  parameterized  by  the  class 
of  formulas  defining  the  transformation,  the  class  of 
output  tree  languages,  and  the  class  of  integrity  con¬ 
straints.  While  undecidable  in  its  most  general  for¬ 
mulation,  the  typechecking  problem  has  many  special 
cases  of  practical  interest  that  turn  out  to  be  decid¬ 
able.  The  main  contribution  of  this  paper  is  to  trace 
a  fairly  tight  boundary  of  decidability  for  typechecking 
in  this  framework.  In  the  decidable  cases  we  exam¬ 
ine  the  complexity,  and  show  lower  and  upper  bounds. 
We  also  exhibit  a  practically  appealing  restriction  for 
which  typechecking  is  in  PTIME. 

1  Introduction 

Since  Codd  [8],  databases  have  been  modeled  as 
first-order  relational  structures  and  database  queries 
as  mappings  from  relational  structures  to  relational 
structures.  This  captured  well  relational  databases, 
where  both  data  and  query  answers  are  represented 
as  tables. 

Today’s  technology  trends  require  us  to  model  data 
that  is  no  longer  tabular.  The  World  Wide  Web  Con¬ 
sortium  has  adopted  a  standard  data  exchange  for- 
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ence  Foundation  under  grant  number  97-00128. 
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mat  for  the  Web,  called  Extended  Markup  Language 
(XML)  (see  [1]),  in  which  data  is  represented  as  a 
labeled  ordered  tree,  rather  than  as  a  table.  XML 
is  rapidly  becoming  the  de  facto  data  format  on  the 
Web,  and  many  industries  (e.g.  financial,  manufac¬ 
turing,  health  care)  are  migrating  their  application- 
specific  formats  to  XML.  All  major  database  vendors 
offer  now  tools  for  exporting  relational  data  as  XML, 
thus  making  it  easier  for  companies  to  define  XML 
views  of  their  relational  data  and  share  it  with  busi¬ 
ness  partners  over  the  Web.  An  important  aspect 
of  XML  is  that  it  allows  users  to  define  types.  A 
type  is  a  tree  language,  and  the  current  standards 
for  XML  types  (DTD  and  XML-Schema)  correspond 
to  restricted  regular  tree  languages.  XML  data  ex¬ 
change  is  always  done  in  the  context  of  a  fixed  type: 
a  community  (or  industry)  agrees  on  a  certain  type, 
and  subsequently  all  members  of  the  community  cre¬ 
ate  XML  views  of  their  relational  data  that  are  of 
that  type. 

In  this  paper  we  study  the  problem  of  mapping 
relational  data  into  tree  data,  specifically  addressing 
the  typechecking  problem.  Given  a  mapping  and  a 
type  for  the  output  tree,  we  wish  to  automatically 
check  whether  every  database  is  mapped  to  a  tree  of 
the  desired  output  type.  As  explained,  this  is  a  crit¬ 
ical  problem  in  XML  data  exchange.  In  addition,  as 
we  show  here,  this  problem  is  also  technically  inter¬ 
esting  and  non-trivial  from  a  theoretical  perspective. 

We  define  a  language,  TreeQL,  expressing  map¬ 
pings  from  relational  structures  to  trees.  A  map¬ 
ping  m  in  TreeQL  is  specified  as  a  tree  where  each 
node  is  labeled  by  a  logical  formula,  possibly  with 
free  variables,  and  a  symbol  from  a  finite  alphabet 
E.  An  ordered  relational  structure  is  mapped  into  a 
E-tree  whose  nodes  consists  of  all  tuples  that  satisfy 
some  formula  in  the  tree,  and  whose  edges  are  defined 
based  on  the  edges  in  m.  In  the  typechecking  prob¬ 
lem  we  are  given  a  regular  tree  language,  called  the 
output  type,  and  a  set  of  integrity  constraints,  and  are 
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asked  to  check  whc'ther  every  input  structure  satisfy¬ 
ing  the  constraints  is  mapped  into  a  tree  in  the  output 
type.  Solving  the  typechecking  problem  boils  down 
to  checking  whether  the  strings  generated  by  the  or¬ 
dered  sets  of  tuples  satisfying  a  sequence  of  logical 
formulas  belong  to  some  regular  language.  The  type¬ 
checking  problem  is  parameterized  by  the  fragment 
of  TrecQL,  the  class  of  output  types,  and  the  class  of 
integrity  constraints. 

The  typechecking  problem  in  its  various  instanti¬ 
ations  requires  an  understanding  of  the  interaction 
between  logic  and  tree  languages.  We  found  this  in¬ 
teraction  interesting,  and  had  to  develop  distinct  ap¬ 
proaches  for  the  different  instances  of  the  typecheck¬ 
ing  problem,  combining  techniques  from  finite-model 
theory,  language  theory,  and  combinatorics. 

It  is  easily  seen  that  typechecking  becomes  unde- 
cidable  when  arbitrary  first-order  logic  (FO)  formulas 
are  allowed  in  the  mapping,  due  to  a  reduction  from 
the  FO  hnite  satisfiability  problem.  Hence,  we  fo¬ 
cus  our  investigation  on  the  particular  case  when  the 
formulas  arc  conjunctive  queries.  When  the  output 
types  are  further  restricted  to  star-free  regular  lan¬ 
guages,  typechecking  is  decidable.  When  the  output 
type  is  an  arbitrary  regular  expression,  typecheck¬ 
ing  is  still  decidable  for  projection-free  conjunctive 
formulas  (the  proof  uses  a  combinatorial  argument 
based  on  Ramsey’s  theorem).  On  the  other  hand, 
we  show  that  even  small  extensions  to  the  basic  de¬ 
cidable  cases  lead  to  undeddability  of  typechecking. 
Thus,  our  results  provide  a  fairly  tight  boundary  of 
decidability  of  typechecking.  A  side  benefit  is  new 
insight  into  the  subtle  interplay  between  constraints, 
query  languages,  and  output  tree  types. 

Related  work.  Type  inference  is  a  well-studied 
topic  in  functional  programming  languages  [15].  A 
type  inh'rence  system  consists  of  a  set  of  inference 
rules  that  can  be  used  to  check  whether  a  function 
(program)  is  type  safe.  This  means  that  during  exe¬ 
cution  th('  program  will  never  get  into  a  state  where  it 
attempts  to  apply  an  operator  to  operands  of  wrong 
types.  The  problem  we  consider  here  is  differentWe 
are  checking  a  semantic  property,  namely  whether  ev¬ 
ery  input  datalrase  is  mapped  to  an  output  tree  of 
the  right  type,  which  is  in  contrast  to  the  syntactic 
nature  of  applying  the  type  inference  rules.  In  our 
setting  type  checking  rapidly  becomes  undecidable  if 
we  allow  the  transformation  language  or  the  output 
types  to  be  too  expressive.  In  contrast,  type  inference 
for  functional  programming  languages  (that  are  Tur¬ 
ing  complete)  is  usually  decidable  for  powerful  type 
systems  but  is  only  sound. 

Our  work  is  motivated  by  the  practical  need  to 
typecheck  XML  views  from  relational  databases. 


SilkRoute  [10]  is  a  research  prototype  enabling  an 
XML  view  to  be  defined  from  a  relational  database 
using  a  declarative  language.  The  language  TreeQL 
used  in  the  present  paper  is  an  abstraction  of  the 
language  used  by  SilkRoute. 

A  different  but  related  problem  is  that  of  type¬ 
checking  tree  transformations.  In  previous  work  [14] 
a  subset  of  the  authors  studied  the  typechecking 
problem  for  transformations  of  unranked  trees  ex¬ 
pressed  by  fc-pebble  transducers,  and  showed  that 
typechecking  is  decidable.  The  unranked  trees  con¬ 
sidered  there  are  labeled  over  a  fixed,  finite  alphabet 
X.  So  they  do  not  take  into  account  the  data  values 
present  in  XML  documents.  In  subsequent  work  [3] 
we  considered  trees  with  labels  from  an  infinite  al¬ 
phabet,  that  model  more  closely  XML  trees  where 
internal  nodes  have  labels  from  a  known,  fixed  al¬ 
phabet,  while  leaves  contain  data  values  from  an  in¬ 
finite  domain.  We  showed  that  typechecking  quickly 
becomes  undecidable,  even  if  one  considers  very  re¬ 
stricted  transformations.  However,  typechecking  be¬ 
comes  decidable  for  several  restrictions  on  the  class  of 
transformations  and/or  the  tree  types.  While  some  of 
the  techniques  in  [3]  are  similar  in  flavor  to  those  in 
the  present  paper,  there  are  considerable  differences 
in  the  two  settings.  Relational  structures  can  be  en¬ 
coded  as  XML,  but  the  integrity  constraints  do  not 
have  an  analog  in  XML.  Conversely,  the  DTDs  that 
constrain  XML  documents  cannot  be  expressed  by 
the  relational  constraints  we  consider.  However,  some 
of  the  lower  bound  results  in  the  present  paper  can 
be  transferred  to  the  XML  context  and  strengthen 
results  from  [3].  A  more  detailed  comparison  is  de¬ 
ferred  to  the  full  version  of  this  paper. 

Organization  The  paper  is  organized  as  follows. 
The  first  section  develops  the  basic  formalism,  in¬ 
cluding  our  abstraction  of  XML  documents,  DTDs, 
and  the  variant  of  TreeQL  used  as  transformation 
language.  Section  3  presents  the  decidability  results; 
Section  4  the  complexity  analysis;  and  Section  5  the 
undecidability  results.  The  paper  ends  with  brief  con¬ 
clusions.  Due  to  space  limitations,  some  proofs  are 
only  sketched  or  omitted  entirely. 

2  Basic  Framework 

We  introduce  here  the  basic  formalism  used  through¬ 
out  the  paper,  including  our  abstraction  of  XML  doc¬ 
uments,  DTDs,  and  the  query  language  TreeQL. 
Trees.  Trees  are  our  abstraction  of  XML  docu¬ 
ments  [1].  They  capture  the  nesting  structure  of  XML 
elements  and  their  tags.  We  refrain  from  modeling 
data  values  as  they  are  not  relevant  w.r.t.  typecheck¬ 
ing.  Indeed,  output  types  only  constrain  the  struc- 
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ture  of  the  output  tree  not  the  data  values  at  the 
leaves.  We  consider  ordered  trees  with  node  labels 
from  a  finite  alphabet  S.  We  also  refer  to  such  trees 
as  S-trees.  We  denote  by  nodes(t)  the  set  of  nodes  of 
a  tree  t;  for  a  node  v,  we  denote  by  lab(u)  the  label  of 
V.  There  is  no  a  priori  bound  on  the  number  of  chil¬ 
dren  of  a  node;  we  therefore  call  these  trees  unranked. 
We  denote  the  empty  tree  by  s  and  the  set  of  all  trees 
over  S  by  Tg.  By  root(t).  we  denote  the  root  of  t. 
To  define  the  semantics  of  TreeQL  programs  we  also 
need  the  notion  of  a  forest  which  is  just  a  sequence 
of  trees.  We  employ  the  following  notational  conve¬ 
nience.  By  cr(ti, . . .  ,tn),  where  tj,  . . . ,  t„  are  trees, 
we  mean  the  tree  where  the  root  is  labeled  with  a 
and  the  i-th  subtree  is  ti. 

Types  and  DTDs.  DTDs  and  their  variants  pro¬ 
vide  a  typing  mechanism  for  XML  documents.  We 
use  several  notions  of  types  for  trees.  For  C  a  class 
of  string  languages  over  E,  a  DTD  over  E  w.r.t.  C  is 
a  mapping  from  E  to  languages  in  C.  We  denote  the 
class  of  all  such  DTDs  by  DTD(C).  Let  d  G  DTD(C). 
Then,  a  E-tree  t  satisfies  d,  if  for  every  node  v 
of  t  with  children  ui,...,u„,  lab(ui)  •  ■  Tab(u„)  £ 
d(lab(u)).  Note  that,  if  n  =  0,  then  £  should  be¬ 
long  to  d(lab('i;)).  The  set  of  trees  that  satisfy  d  is 
denoted  by  L{d). 

Obvious  examples  of  classes  C  are  the  regular  lan¬ 
guages  (REG),  the  star-free  regular  languages  (SF), 
and  the  context-free  languages  (CFL).  When  C  are 
the  regular  languages  our  notion  of  DTDs  corre¬ 
sponds  closely  to  the  DTDs  proposed  for  XML  docu¬ 
ments.  Star-free  regular  languages  are  defined  by  the 
star-free  regular  expressions,  which  are  build  from 
single  symbols  and  s,  using  concatenation,  union,  and 
complement.  They  correspond  exactly  to  the  lan¬ 
guages  defined  by  first-order  logic  (FO)  over  the  vo¬ 
cabulary  {<,{Ocr)cTeT.}  where  <  is  a  binary  relation 
and  every  is  a  unary  relation  [13,  18].  A  string 
w  =  cTj  ...  CTn  is  then  represented  by  the  logical  struc¬ 
ture  ({1, . . . ,  n};  <,  (Ocr)cTGE)  where  <  is  the  natural 
order  on  {1, ... ,  n},  and  for  each  i,i  e  Oa  iff  cr,  =  a. 

We  will  consider  an  even  simpler  class  of  DTDs, 
which  specify  cardinality  constraints  on  the  tags  of 
children  of  a  node,  but  does  not  restrict  their  order. 
Such  DTDs  are  useful  either  when  order  is  irrelevant, 
or  when  the  order  of  tags  in  the  output  is  hard-wired 
by  the  syntax  of  the  query  and  so  can  be  factored  out. 
We  use  a  logic  called  SC,  inspired  by  [16].  The  syntax 
of  the  language  is  as  follows.  For  every  cr  G  E  and  nat¬ 
ural  number  i,  cr"*  and  a-®  are  atomic  SC  formulas; 
true  is  also  an  atomic  SC  formula.  Every  atomic  for¬ 
mula  is  a  formula  and  the  negation,  conjunction,  and 
disjunction  of  formulas  are  also  formulas.  A  string  w 
over  E  satisfies  an  atomic  formula  if  it  has  ex¬ 


actly  i  occurrences  of  a,  and  similarly  for  cr-®.  Fur¬ 
ther,  true  is  satisfied  by  every  string.  ^  Satisfaction 
of  Boolean  combination  of  atomic  formulas  is  defined 
in  the  obvious  way.  As  an  example,  consider  the 
SC  formula  co-producer-^  ^  producer- \  This  ex¬ 
presses  the  constraint  that  a  co-producer  can  only  oc¬ 
cur  when  a  producer  occurs.  One  can  check  that  lan¬ 
guages  expressed  in  SC  correspond  precisely  to  prop¬ 
erties  of  structures  over  the  vocabulary  {<,  {Oa)a€'s} 
that  can  be  expressed  in  FO  without  using  the  order 
relation,  <.  Thus,  SC  forms  a  natural  subclass  of  the 
star-free  regular  expressions. 

We  have  so  far  defined  DTDs  and  several  restric¬ 
tions.  We  next  consider  an  orthogonal  extension  of 
basic  DTDs,  also  present  in  more  recent  DTD  propos¬ 
als  such  as  XML-Schemas  [4,  5].  This  is  motivated 
by  a  severe  limitation  of  basic  DTDs:  their  definition 
of  the  type  of  a  given  tag  depends  only  on  the  tag 
itself  and  not  on  the  context  in  which  it  occurs.  For 
example,  this  means  that  the  singleton  {<}  where  t  is 
the  tree  a(6(c),  6(d))  cannot  be  described  by  a  DTD, 
because  the  “type”  of  the  first  6  differs  from  that  of 
the  second  6.  This  naturally  leads  to  an  extension 
of  DTDs  with  specialization  (also  called  decoupled 
types)  which,  intuitively,  allows  defining  the  type  of 
a  tag  by  several  “cases”  depending  on  the  context. 
Formally,  we  have: 

Definition  2.1.  For  a  class  of  languages  C,  a 

specialized  DTD  over  E  w.r.t.  C  is  a  tuple  r  = 

(E,E',d,  p)  where  (i)  E  and  E'  are  finite  alphabets; 
(ii)  d  is  a  DTD  over  E'  w.r.t.  C;  and  (Hi)  p  is  a 

mapping  from  E'  to  E.  A  tree  t  over  S  satisfies  a 

specialized  DTD  t,  ifte  p(L{d)).  We  denote  the  set 
of  all  such  specialized  DTDs  by  S-DTD{C). 

Intuitively,  E'  provides  for  some  a’s  in  E  a  set  of 
specializations  of  a,  namely  those  a'  G  E'  for  which 
p(a')  =  a.  We  also  denote  by  p  the  homomorphism 
induced  on  strings  and  trees.  Interestingly,  it  turns 
out  that  the  class  S-DTD(REG)  is  precisely  equiv¬ 
alent  to  the  class  of  regular  tree  automata  over  un¬ 
ranked  trees  [7,  17].  This  is  more  evidence  that  spe¬ 
cialized  DTDs  are  a  robust  and  natural  specification 
mechanism. 

Logic.  Consider  some  fixed  relational  vocabulary  S. 
A  database  over  S  is  just  an  <S-structure  defined  in 
the  usual  way  [2,  9].  We  denote  the  domain  of  a 
database  A  by  dom(A).  Further,  let  £  be  a  logic 
over  S.  Then  we  denote  the  free  variables  occurring 
in  (/?  G  £  by  Free((/j).  In  the  sequel,  £  will  usually 
be  the  set  of  conjunctive  queries  over  S,  denoted  by 

^The  empty  string  is  obtained  by  AcrgE  empty 

set  by  ^true.  We,  hence,  use  c  and  0  eis  shorthands  in  SC 
formula-s. 
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CQ.  Formally,  a  conjunctive  query  is  a  positive  exis¬ 
tential  first-order  logic  formula  f(xi, . . .  ,x„)  having 
conjunctions  as  its  only  Boolean  connective,  that  is, 
a  formula  of  the  form  3?/i  •  •  •  3ym'>p{y,  x),  where  t/;  is  a 
conjunction  of  atomic  formulas  over  S  (so,  no  equal¬ 
ities).  By  CQ  with  superscripts  in  {=,-'}  we  mean 
CQ  where  ?/)  can  contain  equality  and  negations  of 
atomic  formulas,  respectively.  A  conjunctive  query 
is  projection-free  when  there  are  no  leading  existen¬ 
tial  quantifiers.  Another  logic  frequently  referred  to 
in  the  sequel  consists  of  the  FO  formulas  of  the  form 
3xiyip{x,y)  with  ip  quantifier-free.  We  denote  this 
class  by  FO(3*V*). 

In  relational  databases,  one  usually  considers 
databases  satisfying  some  integrity  constraints  [2]. 
These  are  sentences  in  a  specific  logic.  A  database 
A  satisfies  a  set  of  constraints  $,  if  .A  |=  (/;  for  ev¬ 
ery  v?  e  3>.  We  mainly  consider  constraints  specified 
in  FO(3*V*).  Note  that  they  encompass  functional 
dependencies  (FDs),  but  not,  for  instance,  inclusion 
dependencies  (IDs).  Recall  that  FDs  are  expressions 
of  the  form  X  Y  where  X  and  Y  are  sets  of  coor¬ 
dinates  of  a  relation,  and  X  Y  holds  in  a  relation 
if  wlnmever  two  tuples  agree  on  X  thc>-  also  agree  on 

Y.  IDs  are  of  the  form  R[ii . i^;]  C  S[ji . j^.] 

where  Ft  and  S  are  relation  symbols,  and 
and  ji, . . .  ,jk  are  natural  numbers  leas  than  or  equal 
to  the  arity  of  R  and  5,  respectively.  A  database  sat¬ 
isfies  the  above  inclusion  d('j)endency  iff  tt,, . n,  (7?)  C 

TTj, . where  tt  denotes  projection  as  usual.  An 

inclusion  dependency  is  unary  when  k  =  1.  A  sc't  $ 
of  dependencies  is  cyclic,  iff  either  one  of  the  following 
holds 

•  $  contains  a  dependency  of  the  form  R[i]  C  R[]] 
with  i  f=-  j;  or 

•  $  contains  dependencies  7?i[?i]  C  ^2[J2]. 

-Rsb'.'i],  •  •  •  •  R)n[b,i]  c 

A  set  of  dependencies  is  ocyclic  wlu'n  it  is  not  cyclic. 
We  denote  the  class  of  acyclic  inclusion  dependencies 
by  AcIDs. 

Finally,  we  recall  the  following  technical  notion. 
For  a  finite  set  of  variables  X.  an  X -substitution  9 
for  A  is  a  mapping  from  X  to  dom(A).  Let  x  be 
variables  not  occurring  in  X  and  let  a  be  as  many 
elements  of  doni(>l).  Then  9  U  {x  ^  3}  denotes  the 
{X  U  {.xD-substitution  that  maps  each  x,  to  a,  and 
every  y  e  X  to  9{y). 

TreeQL.  The  transformation  language  we  consider, 
mapping  databases  to  trees,  is  an  abstraction  of 
RXL  [10].  We  refer  to  it  as  TreeQL.  The  queries 
are  tree  patterns  where  nodes  are  labeled  with  label- 
formula  pairs.  Therefore,  denote  by  E  x  £  the  set  of 
pairs  {a,p[x))  with  cr  G  E,  and  p{x)  a  formula  in  £. 


TreeQL  programs  are  trees  in  Tsx£-  In  the  next  def¬ 
inition,  denote  by  formula(i;)  the  formula  associated 
to  a  node  v. 

Definition  2.2.  A  TreeQL(£,  E)  program  is  a 
tree  P  €  ThxC  such  that  Frec{formulo,{v))  C 
Free{formula{v')) ,  for  all  nodes  v  and  v'  where  v'  is  a 
descendant  of  v;  in  addition,  the  formula  in  the  label 
of  the  root  is  equivalent  to  true. 

If  £  or  E  are  clear  from  the  context  or  not  im¬ 
portant,  we  sometimes  omit  them.  Sometimes,  we 
abbreviate  the  label  (cr,  true)  simply  by  a. 

Let  .4  be  a  databa.se  over  5,  <  a  total  order  on 
dom(A),  and  P  a  TreeQL  program. 

Definition  2.3.  The  tree  P{A,  <)  generated  by  P 
from  A  and  <  is  defined  as  follows.  Its  nodes  consist 
of  pairs  of  the  form  {v.  9)  where  v  is  a  node  of  P  and  9 
an  X- substitution  (where  x  =  Frec{formuln.{v)))  such 
that  A(=  p[9]  for  every  formula  p  labeling  v  or  la.bel- 
ing  an  ancestor  of  v  in  P.  The  root  is  {root{P),{)) 
and  nodes  are  or'der-ed  component-wise,  using  the  node 
order  in  P  for  v  and  the  lexicographic  order  <  on  9. 
The  edges  in  P{A.<)  are  {{v,  9),  {v' ,9'))  such  that  v' 
is  a  child  of  v  in  P  and  9'  is  an  extension  of  9.  Fi¬ 
nally  the  label  of  a  node  (u.9)  is  the  E  label  of  v  in 
P. 

Example  2.4.  Consider  the  TrccQL{CQ)  program 
^  =  '''o(*'i •  i'2' I's)  (i-c.  the  tree  has  root  node 

i’o  with  children  vi.V2.V:i)  and  ln.b{i\))  =  (o.truc), 
Inb(vi)  =  {b.  R{x.  y)  A  R{y.  .tj).  labir^)  =  {c.  R.{x.  ij)). 
Inb{v:i)  =  id.R{x.ij)AR{u.v)),  and  consider  database 
A  in  which  R  =  {{i ■  j)  \  0  <  i  <  j  <  9}.  and  the  nat¬ 
ural  order  <  on  {0 - ,9}.  Then  P{A.<)  is  a  tire 

whose  root  has  10  children  labeled  b  followed  by  55 
children  labeled  c  and  followed  by  YF  =  302.'5  chil¬ 
dren  labeled  d. 

\W  remark  that  RXL  [10],  the  language  lYeeQL  is 
an  abstraction  of.  also  allows  to  output  data  values 
occurring  in  the  input  database  as  labels  of  leaves  in 
XML  documents.  However,  as  we  study  typechecking 
and  output  tj-jK's  do  not  constrain  these  data  values 
we  chose  to  omit  them  from  the  formalism. 

An  extension;  TreeQL  \vith  virtual  nodes.  We 
will  use  an  extension  of  TreeQL  that  allows  programs 
to  define  ‘■ttunporary"  nodes,  called  virfua.l,  that  are 
eliminated  in  the  final  amswer.  To  see  why  this  is 
useful,  consider  an  input  binary  relation  R  providing 
titk's  and  sjjeakc'rs  of  talks  (ord('red  alphabetically 
by  title).  Sujrpose  we  wish  to  output  a  tree  listing 
under  the  root  the  ordered  title/speaker  pairs.  This 
cannot  be  ch'fined  by  a  Tre<'QL  program,  because 
it  cannot  group  the  titk's  and  speak'is  as  reqtiired. 
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However,  suppose  we  can  use  temporary  nodes, 
identified  by  a  special  label  Consider  the  query 
root((#,  R{t,  s)){{title,  R{s,  t)),  {speaker,  R{s,  t)))). 
This  produces  one  node  labeled  #  for  each  tuple  in 
R,  whose  children  are  the  corresponding  title  and 
speaker.  The  ordered  sequence  of  title/speaker  pairs 
can  now  be  obtained  by  a  “flattening”  operation 
that  eliminates  the  #  nodes  and  concatenates  their 
children. 

More  formally,  let  #  be  a  special  symbol  not  oc¬ 
curring  in  S.  We  denote  by  S#  the  set  Eu{#}.  The 
symbol  #  will  be  used  to  specify  virtual  nodes.  De¬ 
fine  the  function  which  maps  trees  to  forests  by 
eliminating  ^-labeled  nodes,  recursively  as  follows. 
Let  t  be  the  tree  cr{ti, . . .  ,tn)-  Then 


A#(ti),...,A#(t„)  ifa  =  #. 

Definition  2.5.  A  TreeQL(>C,E)  program  P  with 
virtual  nodes  is  a  TreeQL(£,  E#)  program  where 
lab(root(P))  ^  {#}  x  C.  We  denote  the  set  of  all  such 
programs  by  TreeQL''‘'^*(T,  E).  The  tree  generated  by 
P  from  A  and  <  is  defined  as  A#(P(A,  <)),  and  de¬ 
noted,  by  slight  abuse  of  notation,  also  by  P{A,  <). 


Clearly,  TC[£,  V,  XC]  is  undecidable  for  any  logic 
L  for  which  satisfiability  is  undecidable.  Indeed,  for 
a  sentence  &  C,  consider  the  program  result((a,  <p)) 
with  an  output  type  d  that  maps  d(result)  to  {e}. 
Then  ip  is  satisfiable  iff  the  program  does  not  type- 
check  w.r.t.  d. 

In  the  sequel  we  focus  on  conjunctive  queries, 
which  correspond  to  the  widely  used  select-project- 
join  queries  in  SQL.  As  shown  in  Section  5,  the  type¬ 
checking  problem  quickly  becomes  undecidable.  Nev¬ 
ertheless,  as  shown  in  the  next  section,  we  obtain  de¬ 
cidability  and  even  tractability  for  a  large  class  of 
transformations. 


3  Decidability 

We  present  in  this  section  our  decidability  results  on 
typechecking  TreeQL  queries: 

(i)  When  restricting  output  DTDs  to  star-free  lan¬ 
guages  we  show  that  typechecking  is  decidable 
for  TreeQL(CQ~’^)  programs  and  integrity  con¬ 
straints  in  FO(3*V*).  The  proof  gives  a  CO- 
NEXPTIME  upper  bound.  In  Section  4,  we  pro¬ 
vide  the  matching  lower  bound. 


Typechecking.  We  next  formalize  the  central  prob¬ 
lem  of  this  paper. 

Definition  2.6.  A  TreeQL  program  P  typechecks 
with  respect  to  a  set  of  constraints  ^  and  an  output 
type  d  iff  P{A,  <)  C  L{d)  for  every  database  A  that 
satisfies  $  and  every  total  order  <  on  dom{A). 

Example  2.7.  Continuing  with  Example  2.4,  con¬ 
sider  the  DTD  defined  by  the  mapping  d  : 
{a,  b,  c,  d}  — >  REG  given  by: 

d{a)  =  {b* .{c.c)* .{d.d)*)  I  {b* .{c.cY .c.{d.d)* .d) 

and  d{b)  =  d{c)  =  d{d)  =  £.  The  type  says  that  there 
are  an  even  number  ofc’s  and  d  ’s  or  an  odd  number  of 
both  under  nodes  labeled  a.  Then  the  TreeQL  program 
P  in  Example  2.4  typechecks  w.r.t.  this  DTD. 

The  typechecking  problem  is  parameterized  by  (1) 
the  fragment  of  TreeQL;  (2)  the  output  type;  and  (3) 
the  integrity  constraints.  Therefore,  we  denote  by 

TC[7^,  V,  IC], 

the  above  decision  problem  where  72.  is  a  fragment 
of  TreeQL  or  TreeQL'"'^*,  P  is  a  class  of  output 
types,  and  XC  is  a  class  of  integrity  constraints. 
To  reduce  notation,  we  abbreviate  TreeQL(£)  and 
TreeQL''"^‘(£)  by  £  and  £virt,  respectively;  and,  we 
abbreviate  DTD(C)  and  S-DTD(C)  by  C  and  Cspeo 
respectively. 


{a)  By  restricting  the  queries  to  projection-free  CQs 
and  the  integrity  constraints  to  FDs,  we  show 
that  typechecking  w.r.t.  DTDs  with  full  regu¬ 
lar  expressions  is  decidable.  The  proof  is  based 
on  Ramsey  theory  and  yields  a  non-elementary 
upper  bound.  It  is  open  whether  this  can  be 
improved. 

In  Section  5,  we  show  that  the  above  results  are  es¬ 
sentially  optimal:  slight  increase  of  the  power  of  the 
DTDs  or  the  integrity  constraints  lead  to  undecidabil¬ 
ity.  However,  it  remains  open  whether  in  {ii)  above, 
the  restriction  to  projection-free  CQs  is  required.  We 
first  consider  star-free  output  types  and  integrity  con¬ 
straints  in  FO(3*V*). 

Theorem  3.1.  TC[CQ=''",  SF,  FO(3W*)]  is  in  CO- 
NEXPTIME. 

Proof.  The  decidability  is  shown  by  bounding  the 
size  of  inputs  that  need  to  be  checked  to  detect  a  vio¬ 
lation  of  the  output  DTD.  Let  7?  be  a  TreeQL(CQ^’’’) 
program,  let  d  E  DTD(SF),  and  let  <E>  be  a  finite  set 
of  FO(3*V*)  sentences. 

We  start  by  stating  a  technical  lemma.  Extend  the 
star-free  regular  expressions  by  the  constructs  cr“® 
and  a-\  These  denote  the  languages  {cr®}  and  | 
j  >  i},  respectively. 

Lemma  3.2.  Let  r  be  a  star-free  regular  expression. 
Then  r  n  crl  ■■■  a*  is  equivalent  to  a  disjunction  Pr 
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of  expression  of  the.  form,  •  •  -cr*"'"  where  each 
e  {=,  >}  o.nd  ij  €  N.  Moreover,  <  |r|, 

the  size,  of  p,-  is  exponential  in  |r|  +  n,  and  pr  can  be 
compv.te.d  in  time,  exponential  in  |r|  +  n. 

Note  that  R  does  not  typecheck  w.r.t.  d  iff 

•  there  is  a  path  ?;],  Vk  in  R  where  (i) 

vi  is  a  child  of  the  root;  (ii)  lab(vi)  = 
{a„ip,{xi, . . .  ,Xi)),  for  i  e  {in) 

Vk  has  precisely  n  children  with  labels 
((5i,  {bn,'>Pn{^',yn))  and  in  that  or¬ 

der;  and 

•  there  is  an  A  with  elements  o,  ;=  Si, . . .  ,dk  such 

that  [i]  ^  t=  $;  {ii)  A  \=  p,{di, . . .  .Sj)  for  each 
i  -  and  (m)  ^  d((Tt)  with 

|{6  I  ^  1=  '0j(a,  fc)}|  =  ij  for  all  j  =  1, ....  n. 

Let  d{ak)  be  represented  by  the  star-free  regular 
expression  r.  So,  •  •  •  Sh'  ^  L{r).  Since  for  each  A, 
this  string  will  be  of  the  form  <5*  ■  ■  •  <5* ,  it  suffices  to 
restrict  attention  to  -ir  n  (ij  ■  •  ■  S* .  By  Lemma  3.2, 
n  (5*  •  •  •  (5*  is  equivalent  to  a  disjunction,  of  expo¬ 
nential  size,  of  expressions  of  the  form  •  •  •  6*,"^" 
where  each  *,  €  {  =  ,>}  and  j,  <  Irj.  Let  £)  be  a 
pnrticailar  disjunct  ■  ■  ■  S*"^"  such  that  there  is  a 
structure  A  with  elements  a  :=  oi, ...  ,dk  with 

(1)  A  1=  if’  and  A  \=-  p,{oi, . . .  ,d,)  for  each  i:  and 

(2)  \{b  I  A  1=  0/(a,6)}|  *ij,  for  i  = 

We  next  show  there  is  a  structure  B  of  size  poly¬ 
nomial  in  \R.\  +  \d,\  +  |€>|  satisfying  (1)  and  (2). 
To  sec'  this,  wc  introduce  some  notation.  Sup¬ 
pose  $  =  {J(3x‘lWijfac{xf,yf),  pi{xi . x,)  = 

3xf'j',{x], . . .  .x.i.x'f),  for  each  i  =  l....,k.  and 
f/i)  =  3xf  A(.T,  y,,xf),  for  each  /  =  !....,  n. 

For  each  £,  pick  a  tuple  a"  such  that  A  \= 
'dy"oc{a‘f ,y().  Let  Ei  be  the  set  of  these  elements. 
Next,  pick  ai....,a,j  and  for  each  i  & 
pif:k  a  tuple  af  such  that  A  \=  7,(ai, . . .  ,a,, aj^). 
Let  E2  be  the  set  of  these  elements.  Further,  for 
i  =  1, . . .  ,7r,  pick  ji  tuples  b,  and  for  each  such  tuple 

pick  a  tuple  af  such  that  A  [=  P,{oi _ ,ai,b,,cif). 

Let  Eli  be  the  set  of  these  elements.  Note  that  the 
size  of  E  E\  U  E'z  U  £3  is  at  most  polynomial  in 
|/?|  -h  |f/|  +  i$l.  Clearly,  [{6  |  A^e  N  ipj{d,i)}\ for 
i  =  1, ...  ,77.  Moreover,  A\e  t=  The  latter  follows 
by  a  standard  argument  (see,  e.g.,  [G]).  Indeed,  for 
each  a,  {A,Ei)  |=  yy"aj{x" ,yf),  where  the  elements 
in  El  are  taken  as  constants.  As  the.sc  resulting  sen¬ 
tences  are  universal,  {A\e,Ei)  1=  Vyfaf (x", 7/”)  for 
each  (.  Hence,  A;/;  |=  3.r;"Vy"Qf  (.r”,  (/“)  for  each  (. 
Then  take  B  as  A\e- 

Hence,  to  look  for  a  database  that  satisfies  the  dis¬ 
junct  D  it  sufhces  to  guess  one  of  exponential  size. 


Recall  that  if  we  find  such  an  A,  R  does  not  type- 
check  w.r.t.  d.  The  overall  algorithm  consists  of  two 
stages:  {i)  For  every  node  v  labeled  with  a  and  with 
children  {Si,ipi{x,yi)),  ...,  7/'„(x, y„)),  compute 

the  normal  form  for  -^d{a)  Cl  (jj'  •  •  •  as  specified  in 
Lemma  3.2.  There  is  a  linear  number  of  nodes,  so  al¬ 
together  we  need  exponential  time,  {ii)  Subsequently, 
guess  a  path  tq , . . . ,  Vk,  a  disjunct  D,  and  a  structure 
A  such  that  the  abov'e  holds.  As  described  above  this 
can  all  be  done  in  NEXPTIME.  □ 

The  following  result  shows  that  decidability  of 
typechecking  holds  even  when  DTDs  use  full  regular 
languages,  as  long  as  the  conjunctive  queries  in  the 
TreeQL  program  are  restricted  to  be  projection-free 
and  the  constraints  are  FDs.  The  proof  is  non-trivial 
and  is  based  on  Ramsey’s  theorem.  It  is  similar  to 
the  proof  of  an  analogous  but  harder  result  in  [3].  A 
self-contained  proof  will  be  provided  in  the  full  paper. 

Theorem  3.3.  TC[projection-free  CQ“’'",  REG, 
FD]  is  decidable. 

It  remains  open  whether  the  projection-free  restric¬ 
tion  can  be  removed  or  whether  the  class  of  con¬ 
straints  can  be  extended. 

4  Complexity 

Theorem  3.1  provides  an  upper  bound  of  CONEXP- 
TIME  on  the  complexity  of  type-checking.  We  show 
in  this  section  that  this  is  tight.  Our  proof  requires 
negation  and  inequality  in  CQs.  However,  we  show 
that  even  without  these,  typechecking  remains  in- 
tractable,  more  precisely  DP-hard.^  Nevertheless, 
by  further  restricting  the  structure  of  CQs  and  SC- 
formulas  we  obtain  a  PTIME  algorithm  for  typecheck¬ 
ing.  To  this  end  define  SC  as  the  fragment  of  SC 
where  there  are  no  occurrences  of  the  form  and  all 
occurrences  of  the  form  cr-®  are  such  that  i  G  {0, 1}. 
We  abbreviate  simply  by  a.  This  fragment  al¬ 
ready  suffices  to  obtain  the  next  lower  bound. 

Theorem  4.1.  TC[CQ'’’=,  0]  is  hard  for  co- 

NEXPTIME. 

Proof.  The  proof  consists  of  a  reduction  from  the 
satisfiability  problem  of  FO(3*V*)  sentences  without 
equality,  which  is  known  to  be  hard  for  NEXPTIME 
(see,  e.g.,  [6]),  to  the  complement  of  the  typechecking 
problem. 

Let  be  a  formula  of  the  form 

3.x  1 _ ,  x-n'diji .....  ymXp{x,  y)  over  the  relations 

Ri,...,Rk  without  equality.  The  input  database 

^Recall  that  DP  properties  are  of  the  form  ai  A  02  where 
(Ti  S  .N'P  and  a2  G  co-NP. 
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for  the  TreeQL  program  consists  of  the  relations 
-Di,  The  sets  D\,  £)„  will 

be  singletons  and  will  serve  as  the  interpretations  for 
the  variables  xi,. . .  ,x„. 

We  have  to  check  whether  there  is  a  database  A 
with  a  tuple  d  such  that  A  \=  \!yxb{d,y).  We  test 
the  converse,  that  is  >1  ^  Vy^i(d,  y)  or  equivalently 
A  1=  3y^i/)((i,  y).  Assume  that  -u/>  is  of  the  form 
Lj{x,y)  where  each  Lj{x,y)  is  a  conjunction 
/\C  of  atomic  formulas  and  negations  thereof.  Thus, 
each  Lj  is  a  projection-free  query  in  CQ'’.  We  define 
a  TreeQL  program  as  follows:  the  root  is  labeled  with 
‘result’  and  has  exactly  one  child  labeled  with 

n 

{D,  /\  D,{xi)) 

i=l 

giving  the  required  interpretation  to  the  .x^s.  Further, 
D  has  the  following  children 

1.  for  each  i  =  I,...,??,,  (two,,  3x,'3x-(T)j(2i)  A 
£),(x()  AXj  z')),  indicating  that  A  has  at  least 
two  elements;  and 

2.  for  each  j  =  1, . . .  ,k.  {®j,Lj{x,  y)). 

The  output  DTD  d  is  of  the  following  form 
d(result)  :=  true  and 

71  k 

dW)  :=  y  two;  V  y  ®J. 

1=1  j=l 

Suppose  the  TreeQL  program  R  does  not  typecheck. 
Then  at  least  one  D  and  none  of  the  two^s  appear. 
That  is,  all  D,  are  singleton  sets.  Let  A  =  {di} 
for  each  i.  Further,  none  of  the  ©ys  appear.  Hence, 
A  ^  3y-'0(J,  y).  Hence,  A  |=  3xVyip  and  ip  is  sat- 
isfiable.  Conversely,  if  A  is  a  model  of  if  and  we 
instantiate  Di,. . . ,  Dn  with  the  witnesses  for  the  ex¬ 
istential  quantifiers  then  R  does  not  typecheck  for 
AU{Di,...,Dn}.  □ 

Although  it  is  unclear  whether  in  Theorem  4.1, 
negation  or  inequality  can  be  dispensed  with,  we  show 
that  in  any  case  the  complexity  of  the  problem,  even 
for  the  standard  case,  remains  intractable.  Indeed, 
one  can  easily  reduce  the  containment  of  conjunc¬ 
tive  queries  and  propositional  validity  to  typecheck¬ 
ing.  CQ^  denotes  CQ  with  inequality. 

Proposition  4.2.  1.  TC[CQ,  5£’’,0]  is  DP-hard. 

2.  TC[CQ^,5A,0]  isU^-hard. 

The  proof  of  Proposition  4.2  implies  that,  in  or¬ 
der  to  have  a  PTIME  algorithm  for  typechecking,  we 


must  at  least  restrict  the  queries  so  that  testing  con¬ 
tainment  is  in  PTIME  and  that  validity  of  the  SC^ 
formulas  used  must  be  in  PTIME.  We  present  one 
set  of  restrictions  that  leads  to  a  PTIME  typecheck¬ 
ing  test.  Let  CQ^  denote  the  conjunctive  queries  in 
FO*’,  i.e.  the  set  of  conjunctive  queries  using  at  most 
k  variables.  Such  queries  can  be  evaluated  in  com¬ 
bined  complexity  PTIME  [11,  20].  We  restrict  TreeQL 
programs  as  follows:  there  exists  some  k  such  that, 
for  each  node  v  in  the  program,  the  conjunction  of 
all  queries  of  nodes  along  the  path  from  root  to  v  is 
in  C<5*’.  Furthermore,  no  distinct  siblings  v,v'  in  the 
query  tree  have  labels  (a,  f)  and  (a,  f')  for  the  same 
a  €  T,.  We  call  such  a  program  k-bounded  and  denote 
the  set  of  A:-bounded  TreeQL  programs  by  TreeQL^. 
Finally,  we  also  need  a  restriction  on  the  SO'  formu¬ 
las  used  in  the  DTD:  they  are  in  conjunctive  normal 
form.  We  call  such  SO  formulas  conjunctive. 

Theorem  4.3.  TC[CQ^,  conjunctive  SO,  0]  is  in 
PTIME  for  TreeQL^  programs. 

Proof.  Let  i?  be  a  TreeQL^  program  and  let  d  be 
a  DTD  using  conjunctive  SO  formulas.  We  assume 
w.l.o.g.  that  every  bound  variable  occurs  only  once 
and  is  different  from  any  free  variable.  For  every  non¬ 
leaf  node  V  of  R  with  children  ui, . . . ,  u„,  we  do  the 
following.  Let  d(lab(u))  =  fy,  where  fy  =  Aj  A 
and  each  A  is  a  disjunction  of  positive  or  negated 
afs.  Further,  let  7  be  the  conjunction  of  the  formulas 
occurring  in  labels  along  the  path  from  root  to  v.  The 
program  typechecks  w.r.t.  v  if  for  every  input,  the 
sequence  of  children  of  v  in  the  output  satisfies  each 
of  the  Ci's.  So  it  is  enough  to  typecheck  separately 
with  respect  to  each  of  the  A’s.  Each  Ci  is  of  the 
form  tti  V  . . .  V  oa;  V  ^61  V . . .  -^bm-  For  each  a  6  S,  let 
tpa  denote  the  formula  associated  to  the  unique  child 
of  V  labeled  with  a.  There  are  three  cases  to  consider: 

1.  A:  >  0  and  m  >  0.  Then  A  is  (61  A  ...  A 
bm)  — +  (oi  V  . . .  V  afc).  We  must  check  that 

3(^(„  A  ...  A  A  7) 

^  3((A,  A7)  V...V(V'a,  A  7)) 

where  the  3  quantify  all  variables  on  the  left, 
resp.  righthand  sides.  From  standard  conjunc¬ 
tive  query  techniques  it  follows  that  the  above 
holds  iff  there  exists  j  such  that 

A...  A.„,,  A  7)  ^  3(V’aj  A  7). 

This  in  turn  holds  iff  the  result  of  evaluating  the 
conjunctive  query  3(A.i  A  7)  on  the  canonical 
structure  associated  to  the  matrix  of  3(Ai  A. . .  A 
ipb„,  A  7)  is  true.  Since  3(A,  A  7)  is  in  CQ^,  this 
can  be  checked  in  PTIME. 
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2.  rn  =  0.  This  amounts  to  testing  that  3(((/’ai  ^ 
7)  V  ...  V  A  7))  is  true  on  every  input.  This 
is  faise  on  the  empty  input,  so  the  program  does 
not  typecheck. 

3.  k  =  0.  Since  A  ...  A  A  7)  is  always 

satisfiabie,  this  never  typechecks.  O 

5  Undecidability  Results 

We  iiave  seen  in  tiie  previous  section  tli.it 
TC[CQ  '’=,  SF,  FO(3*V*)j  is  decidabie.  This  is  a 
fairly  tight  bound.  Indeed,  we  next  show  tliat  even 
minor  extensions  lead  to  undecidability.  W(‘  con¬ 
sider  several  extensions  of  the  outpnt  DTDs,  TieeQL 
queries,  and  integrity  constraints.  Sjrecifically,  we 
consider  (i)  specialization,  (ii)  virtual  nodes,  and 
{Hi)  acyclic  inclusion  dependencies  (AcID),  and  show 
that  typechecking  becomes  undecidable  with  each  of 
these  extensions.  Another  parameter  in  the  formal¬ 
ism  is  the  class  of  string  languages  used  by  DTDs. 
Recall  that  decidability  still  holds  if  we  rojdace  SF 
by  REG  when  restricting  to  project ion-fn'('  CQs  and 
omit  integrity  constraints.  We  show  tiiat  this  most 
likely  cannot  b(^  extended  bc'yond  REG;  allowing  dr- 
terniinistic  CFLs  (DCFL)  in  DTDs  k'ads  to  undecid¬ 
ability. 

We  first  c.on.sidor  th<'  impact  of  augmenting  DTDs 
with  specialization. 

Theorem  5.1.  TC[projection-fre('  CQ.  .  0)  is 

under.idabir . 

Proof.  We  use  a  redtiction  from  satisfiability  of 
hrst-order  logic  formulas  over  graphs  without  ecjual- 
ity,  which  is  well  known  to  be  undecidable  (see,  e.g.. 
[6]).  The  satishability  problem  is  to  (  heck,  given 
an  FO  formula  i/h  whether  there  is  a  non-empty 
graph  A  such  that  A  [=  i’.  Let  be  the  negation 
of  ip.  We  give  the  reduction  by  example.  Assunu' 
—  3.TiV-'J'23.T:j<5(.'Ei ,  X2,  X:i),  where  S  is  quantihcmfrc'e 
and  in  di.sjunctive  normal  form,  that  is,  of  the  form 
V™!  Li,  where  each  L,  is  of  the  form  P’  A  Ay=i 
where  P’  is  a  conjunction  of  atomic  formulas  and  each 
Nj  is  the  negation  of  a  single  atomic  formula.  For  a 
negated  atomic  formula  N  we  denote  the  unnegated 
formula  by  N.  Recall  that  atomic  formulas  can  only' 
be  of  the  form  E{xi,Xj). 

Consider  the  TreeQL(CQ)  program  R  depicted  in 
Figure  1.  By  L,  we  denote  the  sequence 

{p\f){nini)...{np,.n:j. 

Recall  that  the  first  component  of  the  pair  is  a  label 
while  the  .second  one  is  a  formula.  Intuitively,  every 


rcijult 

(A'i,.ri  =  .Ti) 

(A'2,.ri  =  .iq  A  X2  —  .T2) 

(AA..T1  =  .Tj  A  Ty  ---  A  T --  X^) 

L  \  ...  L,yj 

Figure  1:  The  Freof-JL  program  R. 

occurrence  of  an  A^  in  tlu'  outpnt  tree  n'presents  a 
value  assignment  for  tlu'  variable  x,.  The  specializc'd 
DTD  then  takes  care  of  the  quantification  pattern  of 
,p.  Indeed,  it  should  v'erify  that  there  is  an  Ai-node 
such  that  for  all  its  A2-children  tlu're  is  an  A'j-nofle 
that  satisfi('.s  d.  To  this  end  let  T,'  =  |  i  € 

{!,.... ri}}  U  {r('s>ilt}.  Intuitively,  wlu'iu'ver  a  node 
is  labc'k'd  Ij.  this  indicat('s  that  tlu'  path  from  the' 
root  to  this  node  can  b('  extcmdc'd  to  a  satisfiabie 
path.  Dehiu'  (-/(n'sult)  :=  Y\  V  c.  d{Y\)  :=  Y2  A  --A'2. 
d{Y,)  :=  y,.  and  (l{XA  :=  (/(AA)  :=  d(.A;,).  Hen-.  £ 
makes  sure  tlu'  emiUy  gi  ai)h  typedicx  ks.  Finally.  S('t 
for  (‘adi  i.  fi{X,)  :=  .Y,  and  //(V,)  A',.  Ck'arly, 

R  tyirec  hecks  w.r.t.  d  iff  A  t--'  -p  foi'  ('\'ery  non-('mpty 
structure  A. 

One  can  get  rid  of  ixjuality  in  tlu'  CC^s  by  intro¬ 
ducing  a  relation  containing  all  ('lenients  in  the'  active 
domain.  D('tails  omitted.  □ 

The  iK'xt  result  shows  that  typex  lu'cking  Ixx'omes 
undecidable  when  (lueries  can  use  virtual  nork's.  The 
proof  is  similar  to  tin'  proof  of  Tlu'orem  .5.1  and  is 
oniittixl 

Theorem  5.2.  TC[prerj(xtion-fr(x^  CQ,.,,.,.  SF,  0]  is 
it  ndccidnhlr. 

Remark  5.3.  Tlu'  undecidability  result  in  TIkx)- 
rem  .5.5  rcxpuix's  DTDs  using  SF  formulas.  The  lU'xt 
pro|)osition  shows  that  ri'stricting  the  DTD  languag(' 
to  SC  renck'rs  typechecking  decidable,  ('ven  wIkui  vir¬ 
tual  nod('s  are  allowed. 

Proposition  5.4.  TC[CQ((,'“,.  SC,  FO(3*V*)]  is  de¬ 
ed  do  hie.  □ 

Next,  we  consider  the  effect  of  th('  constraints  on 
decidability.  We  show  that  even  tlu;  usually  well- 
behaved  unary  AcIDs  (which  are  not  definable  in 
FO(3*V*))  render  typechecking  undecidable. 

Theorem  5.5.  TC[CQ^'^,  SC',  unary  AcIDs]  is  un- 
dccAdahle. 
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Proof.  We  consider  the  fragment  of  FO  consisting  of 
formulas  of  the  form  yxip{x)  where  y;  is  a  quantifier- 
free  formula  over  the  vocabulary  of  two  unary  func¬ 
tions  /  and  g.  It  is  well-known  that  it  is  undecidable 
whether  there  is  a  non-empty  structure  A  such  that 
A  1=  Va;<^(x)  (see  e.g.  [6]).  The  schema  of  the  in¬ 
put  database  consists  of  the  two  binary  relations  F 
and  G  (representing  the  functions  /  and  g),  and  a 
unary  relation  D  representing  the  active  domain  of 
the  structure.  Using  D  will  allow  to  get  rid  of  circu¬ 
lar  dependencies. 

First,  we  have  to  make  sure  that  F  and  G  are  in¬ 
deed  functions,  that  their  domain  is  D,  and  their 
range  is  included  in  D.  These  are  specified  by  the 
cyclic  unary  inclusion  dependencies 

(a)  F[1]CZ)[1]  (e)  D[1]CF[1] 

(b)  G[1]CD[1]  if)  D[1]CG[1] 

(c)  F[2]CD[1] 

id)  G[2]CD[1]. 

However,  we  will  only  keep  the  dependencies  (e)  and 
if):  we  show  that  (a)-(c!)  can  be  expressed  by  the 
TreeQL  program  itself.  We  next  describe  this  TreeQL 
program  in  detail.  We  first  check  whether  the  inclu¬ 
sion  dependency  (a)  holds.  If  not  we  generate  the 
flag  (a)_does-not_hold. 

result 

((a)_doesmot -hold,  3x3yiFix,y)  A  -^Dix))). 

The  same  is  done  for  the  dependencies  (6)-(d).  Next 
we  have  to  check  whether  F  is  indeed  a  function  and 
not  a  relation.  For  instance,  both  (a,  6)  and  (a,  c), 
with  b  A  c,  could  belong  to  F.  This  can  be  detected 
as  follows 

result 

(wrong_F,3x3y32:(F(x,  y),Fix,  z)Ay^  z)). 

The  same  is  done  for  G.  In  particular,  if  G  is  a  re¬ 
lation  and  not  a  function  then  the  flag  wrong-G  is 
raised. 

We  test  whether  A  ^  Vxipix),  that  is,  A  |= 
3a;-ii^(x).  We  can  rewrite  3x-i(^(x)  to 

n 

i=l 

where  each  Li  is  of  the  form  /\”^  j  Gj  where  each  Gj 
is  an  equality  or  an  inequality  between  terms.  For 
instance,  Gi  =  fgx  =  f fx  (parenthesis  omitted  for 
clarity)  or  C2  =  fgx  f fx.  Obviously,  there  is  a 


canonical  way  to  associate  a  CQ“’"'  with  each  G.  For 
instance, 

m  (a;)  =  3j/2,  2/3, 22,  ^3(G(x,  y2)  A  Fiy2,  ys) 

A  Fix,  Z2)  A  Fiz2,  Z3)  A  2/3  =  23), 

and 

=  ^y2,ys,Z2,Z3iGix,y2)  A  Fiy2,y3) 

A  Fix,  22)  A  F(22,  23)  AyzA  zs)- 

Further,  we  define  </?£,,  as  (x)  A . .  .Aipci  (x).  The 
just  described  part  of  the  TreeQL  query  is  then  of  the 
form: 


result 


(Li,3x(Pl,(x))  ...  iLn,3xipL„ix)). 

Hence,  A  ^  Vx¥>(x)  whenever  one  of  the  error  flags 
Li  is  raised. 

Finally,  we  have  to  make  sure  that  D  is  non-empty. 
Therefore  we  have 

result 

(D-not.empty,  32D(z)). 

The  final  TreeQL  program  is  the  concatenation  of 
the  previous  programs  (that  is,  the  concatenation  of 
all  children  under  one  result  node).  Note  that  a  non¬ 
empty  input  structure  for  which  A  |=  Vx<^(x)  simply 
generates  the  tree  result(G-not-empty).  The  output 
DTD  d  then  maps  result  to  D-not_empty  error, 
where  error  is  the  disjunction  over  all  error  flags.  If 
R  does  not  typecheck  w.r.t.  d,  then  there  is  an  A  and 
an  ordering  <  such  that  RiA,<)  ^  Lid).  By  con¬ 
struction,  A  is  non-empty  and  no  error  flag  is  raised. 
Therefore,  A\£)  \=  (Vx)(/j(x).  Conversely,  if  there  is 
an  A  such  that  A  \=  Vxyj(x)  then  for  every  ordering 
<,  RiA  U  D,  <)  ^  Lid),  where  D  is  interpreted  by 
the  active  domain  of  A.  □ 

Theorem  3.3  showed  that  typechecking  remains  de¬ 
cidable  even  for  DTDs  using  full  regular  languages, 
as  long  as  the  queries  are  restricted  to  be  projection 
free.  As  shown  next,  going  beyond  regular  languages 
quickly  leads  to  undecidability. 

Theorem  5.6.  TC [projection-free  CQ,  DCFL,  0]  is 
undecidable. 

Proof.  The  proof  is  a  reduction  from  Hilbert’s  tenth 
problem,  diophantine  equations,  well-known  to  be 
undecidable  [12].  We  consider  the  following  variant. 


429 


For  a  polynomial  P(.ti,  . . . , .t„)  with  integer  coeffi¬ 
cients,  are  there  positive  integers  ii, . . .  such  that 
P(i\, . . .  ,in)  =  0?  We  only  give  the  reduction  by 
example.  The  general  case  is  a  straightforward  gen¬ 
eralization.  Consider,  for  instance,  the  polynomial 
2xy  —  x^  +  l.  The  input  database  consists  of  two  sets 
X  and  Y  where  the  cardinalities  of  X  and  Y  stand 
for  the  numbers  x  and  y,  respectively.  We  describe 
a  TreeQL  program  that  generates  from  X  and  Y  se¬ 
quences  of  a’s  and  b's.  A  positive  term  in  P  generates 
a’s  while  a  negative  one  generates  b's.  Hence,  an  a 
stands  for  -1-1,  and  a  b  stands  for  —1.  The  output 
DTD  states  that  the  number  of  a’s  differs  from  the 
number  of  b's.  This  holds  iff  [Al  and  |y|  do  not  form  a 
solution  to  P,  and  the  language  specified  by  the  DTD 
can  easily  he  recognized  by  a  deterministic  PDA.  The 
TreeQL  program  is  a  tree  of  depth  one.  For  the  ex¬ 
ample  polynomial,  the  nodes  under  the  root  are: 

ia,X{x)AY{y))-{a,X{x)AY(y)) 

■{b,X{xi)AX{x2)) 

■  {a,  true). 

Here,  the  first  two  symbols  correspond  to  the  term 
2xy  and  generate  o’s  as  the  term  is  positive;  similarly, 
the  third  and  the  fourth  symbol  correspond  to  -.t^ 
and  +1,  respectively.  The  output  generates  sequences 
of  a’s  and  b's.  The  deterministic  PDA  accepts  when 
the  number  of  a’s  is  different  from  the  number  of 
b's.  Hence,  the  TreeQL  program  typechecks  iff  the 
diophantine  equation  has  no  positive  .solution.  □ 


6  Conclusions 

We  investigated  the  prohlem  of  typechecking  XML 
views  of  relational  databases  satisfying  given  integrity 
constraints.  This  is  a  practically  important  problem 
in  the  context  of  the  Web,  where  relational  databa.ses 
must  he  exported  in  XML  form  that  satisfies  tar¬ 
get  DTDs.  The  formal  query  language  TreeQL  maps 
first-order  relational  structures  to  tree  data,  and  is 
a  faithful  abstraction  of  the  view  definition  language 
used  in  the  SilkRoute  prototype.  The  results  of  the 
paper  trace  a  fairly  tight  border  of  decidability  for  the 
typechecking  problem.  The  parameters  considered 
include  features  of  the  query  language,  of  the  DTDs, 
and  the  class  of  integrity  constraints  satisfied  by  the 
relational  database.  The  proofs  bring  into  play  a  va¬ 
riety  of  techniques  at  the  confluence  of  finite-model 
theory,  language  theory,  and  combinatorics. 
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A  Model-Theoretic  Approach  to  Regular  String  Relations* 
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Abstract 

We  study  algebras  of  definable  string  relations  - 
classes  of  regular  n-ary  relations  that  arise  as  the  defin¬ 
able  sets  within  a  model  whose  carrier  is  the  set  of  all 
strings.  We  show  that  the  largest  such  algebra  -  the  col¬ 
lection  of  regular  relations  -  has  some  quite  undesirable 
computational  and  model-theoretic  properties.  In  con¬ 
trast,  we  exhibit  several  definable  relation  algebras  that 
have  much  tamer  behavior:  for  example,  they  admit 
quantifier  elimination,  and  have  finite  VC  dimension. 
We  show  that  the  properties  of  a  definable  relation  al¬ 
gebra  are  not  at  all  determined  by  the  one- dimensional 
definable  sets.  We  give  models  whose  definable  sets  are 
all  star-free,  but  whose  binary  relations  are  quite  com¬ 
plex,  as  well  as  models  whose  definable  sets  include  all 
regular  sets,  but  which  are  much  more  restricted  and 
tractable  than  the  full  algebra  of  regular  relations. 


1  Introduction 

In  the  past  40  years,  various  connections  between 
logic,  formal  languages  and  automata  have  been  ex¬ 
plored  in  great  detail.  The  standard  setting  for  con¬ 
necting  logical  definability  with  various  properties  of 
formal  languages  is  to  represent  strings  over  a  finite  al¬ 
phabet  E  =  {oi , . . . ,  a„}  as  first-order  structures  in  the 
signature  {Pa^, . . .  ,Pa„,<),  so  that  the  structure  M* 
for  a  string  s  of  length  k  has  the  universe 
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with  <  being  the  usual  ordering,  and  Bn  being  the 
set  of  the  positions  /  such  that  the  /th  character  in  s 
is  a,.  Then  a  sentence  $  of  some  logic  C  defines  a 
language  L(#)  =  {s  e  E*  |  |=  $}.  Two  clas¬ 

sical  results  on  logic  and  language  theory  state  that 
languages  thus  definable  in  monadic  second-order  logic 
(MSO)  are  precisely  the  regular  languages  [8],  and  the 
languages  definable  in  first-order  logic  (FO)  are  pre¬ 
cisely  the  star-free  languages  [25].  For  a  survey,  see 
[28,  29]. 

An  alternative  approach  to  definability  of  strings, 
based  on  classical  infinite  model  theory  rather  than  fi¬ 
nite  model  theory,  dates  back  to  [8,  10].  One  considers 
an  infinite  structure  M  consisting  of  (E*,n),  where  Cl 
is  a  set  of  functions,  predicates  and  constants  on  E*. 
One  can  then  look  at  definable  sets,  those  of  the  form 
{a  ]  M  1=  (/’(a)},  where  is  a  first-order  formula  in  the 
language  of  M.  A  well-known  result  links  definabil¬ 
ity  with  traditional  formal  language  theory.  Let  flreg 
consist  of  unary  functions  /q,  «  S  E,  binary  predicates 
e\{x,y)  and  x  -<y,  where  la[x)  =  x  ■  a,  e\{x,y)  states 
that  x  and  y  have  the  same  length,  and  x  <  y  states 
that  a;  is  a  prefix  of  y.  Let  Sien  be  the  model  (E*,  fireg) 
(we  will  explain  the  notation  later).  Then  subsets  of 
E*  definable  in  Sien  are  precisely  the  regular  languages 
[8,  10,  9]. 

An  advantage  of  the  “model-theoretic  approach”  is 
that  one  immediately  gets  an  extension  of  the  notion 
of  recognizability  from  string  languages  to  n-ary  string 
relations  for  arbitrary  n.  One  gets  an  algebra  of  n-ary 
string  relations  for  every  n,  and  these  algebras  auto¬ 
matically  have  closure  under  projection  and  product, 
in  addition  to  the  boolean  operations.  In  the  case  of 
the  model  Sien  above,  this  algebra  is  not  new:  in  fact, 
the  definable  n-ary  relations  are  exactly  the  ones  rec¬ 
ognizable  under  a  natural  notion  of  automaton  running 
over  n-tuples  [10,  15]. 

An  obvious  question  to  ask,  then,  is  whether  new 
algebras  of  string  relations  arise  through  the  model- 
theoretic  approach.  In  particular,  if  we  restrict  the 
signature  Cl  to  be  less  expressive  than  flreg,  do  we  get 
new  relation  algebras  lying  within  the  recognizable  re- 
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lations? 

A  natural  starting  point  would  be  to  find  a  signa¬ 
ture  that  captures  properties  of  the  star-free  sets.  Here 
again,  a  simple  example  leaps  out:  consider  the  signa¬ 
ture  Hsf  =  (^,(fa)oGi:).  and  let  S  =  (E*,nsf).  One 
can  easily  show  that  the  definable  subsets  of  E*  in  S 
are  exactly  the  star-free  ones.  Furthermore,  we  will 
shov/  that  the  definable  n-ary  relations  of  this  model 
are  exactly  those  definable  by  regular  prefix  automata 
(cf.  [1])  whose  underlying  string  automata  are  counter- 
free. 

Just  as  there  is  a  significant  difference  between  the 
complexity-theoretic  behavior  of  regular  languages  and 
star-free  languages,  we  find  that  the  model  S  is  much 
more  tractable,  in  terms  of  its  model-theory  and  its 
complexity  than  Sien-  In  particular,  we  show  that  S  has 
quantifier-elimination  in  a  natural  relational  extension, 
while  Sien  does  not. 

It  would  be  tempting  to  think  of  S  and  Sie,,  as  canon¬ 
ical  extensions  of  the  notions  of  regularity  and  star-free 
to  n-ary  relations.  However,  we  will  show  that  in  fact 
there  are  many  choices  for  H  that  share  the  same  one- 
dimensional  definable  sets  (either  star-free  or  regular). 
Furthermore,  algebras  of  definable  sets  may  bo  iden¬ 
tical  in  terms  of  the  string  languages  they  define,  but 
differ  considerably  in  the  n-ary  string  relations  in  the 
definable  algebra.  We  thus  say  that  an  algebra  of  de¬ 
finable  sets  based  on  (E*,  H),  with  fl  C  flrcg  is  a  regular 
algebra  of  definable  sets  if  the  subsets  of  E*  in  it  (i.e 
the  one-dimensional  definable  sets  of  arc  ex¬ 

actly  the  regular  sets.  We  likewise  say  that  the  algebra 
based  on  definable  sets  for  (E*,  H)  is  a  star- free  algebra 
of  definable  sets  if  the  subsets  of  E*  in  the  algebra  are 
exactly  the  star-free  sets. 

The  rest  of  the  paper  studies  new  examples  of  reg¬ 
ular  and  star- free  definable  algebras.  We  give  an  ex¬ 
ample  of  a  star-free  algebra  with  considerably  more  ex¬ 
pressive  power  than  the  basic  star-free  algebra  S.  This 
model,  which  we  denote  by  Sieft  (as  it  allows  one  to  add 
characters  on  the  left  of  a  string),  shares  most  of  the  de¬ 
sirable  properties  of  S:  in  particular,  it  has  ciuantifier- 
elimination  in  a  natural  language,  and  membership  test 
in  this  algebra  has  low  complexity. 

More  surprisingly,  perhaps,  we  give  examples  of  reg¬ 
ular  algebras  (which  we  denote  Sreg  and  Srcg.icft)  that 
are  strictly  contained  in  Sie„  =  {T,*,Q.reg)-  Although 
the  one-dimensional  sets  in  these  algebras  are  still  the 
regular  sets,  the  algebra  as  a  whole  shares  many  of  the 
attractive  properties  of  the  star-free  languages.  In  par¬ 
ticular,  we  give  quantifier-elimination  results  for  these 
algebras. 

One  key  motivation  for  our  work  comes  from 


the  field  of  databases,  in  particular,  the  study  of 
query  languages  with  interpreted  operations  [3,  5,  19], 
and  constraint  databases  [23].  In  those  settings, 
quantifier-elimination  gives  one  closed-form  evaluation 
for  queries;  it  says  that  one  can  evaluate  queries  whose 
input  is  a  quantifier-free  definable  set  and  get  a  closed 
form  solution  as  another  quantifier-free  definable  set. 
This  approach  has  generally  been  applied  to  numerical 
domains  over  the  reals,  since  there  arc  several  pow¬ 
erful  quantifier-elimination  results  available  there.  It 
is  natural  to  extend  this  approach  to  databases  over 
strings:  the  string  datatype,  after  all,  is  ubiquitous  in 
databa.se  applications,  and  languages  such  as  SQL  al¬ 
ready  give  some  capability  of  manipulating  star-free 
sets  (via  the  LIKE  predicate)  defined  from  the  in¬ 
put  data  within  queries.  But  in  order  to  extend  the 
constraint-database  approach  to  the  string  context,  we 
are  first  required  to  find  definable  algebras  that  ad¬ 
mit  quantifier-elimination  in  some  natural  yet  power¬ 
ful  language.  (Some  of  the  previous  results  in  this  di¬ 
rection  considered  query  languages  over  undccidable 
structures  [20],  or  decidable  ones  but  not  capable  of 
expressing  some  very  basic  operations  on  strings  [14].) 
The  quantifier-elimination  results  here  thus  yield  new 
examples  where  the  constraint  approach  can  be  aj)- 
plied.  In  fact,  the  results  we  present  here  were  used 
in  [7]  to  give  expressiveness  and  complexity  bounds  for 
the  database  query  languages  that  arise  from  several 
algebras  of  definable  sets. 

Our  approach  was  also  motivated  by  the  study  of 
automatic  structures  [22,  9],  which  are  a  subclass  of 
recursive  structures  [21],  and  were  introduced  recently 
as  a  generalization  of  automatic  groups  [IG].  In  an 
automatic  stricture  M  =  (E*,n),  every  ])redicate  in 
n  is  definable  by  a  finite  automaton.  More  precisely, 
an  n-ary  predicate  P  is  given  by  a  letter-to-letter  n- 
automaton  [15,  18].  Such  an  automaton  is  a  usual 
DFA  whoso  alphabet  is  (E  U  {#})",  #  ^  E.  An  n- 
tuple  of  strings  Si, . . . ,  s„  can  be  viewed  as  a  word  of 
length  max;  |.s,|  over  the  alphabet  E  U  {#},  where  the 
jth  letter  is  the  tuple  (.s( , . . . ,  uS^,);  here  ,s(.  is  the  jth 
letter  of  s^,  if  |sr  |  <  j,  and  #  otherwise.  We  then  say 
that  a  predicate  P  C  (E*)"  is  definable  by  a  letter-to- 
letter  n-automaton  A  if  (si , . . . ,  s„)  G  P  iff  A  accepts 

Si,  .  .  .  ,  S  . 

It  is  known  [10,  9]  that  a  structure  is  automatic  iff 
it  can  be  interpreted  in  the  strvictvirc  Sio„;  hence  Sie,, 
is  in  some  sense  the  universal  automatic  structure.  It 
is  interesting  then  to  look  at  subclasses  of  automatic 
structures  definable  within  Sien  that  arc  significantly 
more  restrictive,  and  that  might  have  stronger  model- 
theoretic  or  computational  properties  than  a  rich  struc¬ 
ture  like  Sien-  One  dividing  line  we  focus  on  is  be- 
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tween  automatic  structures  that  do  admit  quantifier- 
elimination  in  a  natural  relational  language,  and  those 
that  do  not. 

Our  first  result  gives  a  partial  answer  to  open  ques¬ 
tion  0  in  [26],  which  asks  whether  Sien  itself  has 
quantifier-elimination  in  a  reasonable  signature.  We 
show  that  it  does  not  have  quantifier-elimination  in 
any  relational  signature  of  bounded  arity  but  does  have 
quantifier-elimination  in  a  signature  containing  binary 
functions.  The  other  structures  that  we  study  —  S, 
Sreg,  Sieft  and  Sreg.ieft  —  do  admit  such  a  quantifier- 
elimination.  A  second  dichotomy  is  between  automatic 
structures  that  admit  star-free  definable  algebras  ver¬ 
sus  those  that  have  regular  algebras.  We  show  that  the 
models  S  and  Sieft  have  star-free  definable  algebras, 
while  the  model  Sreg  does  not.  Our  results  indicate 
that  the  class  of  automatic  structures  that  admit  star- 
free  definable  algebras  is  richer  than  one  might  have 
guessed. 

Organization  Section  2  introduces  the  notation. 
Section  3  explores  the  motivating  example,  the  model 
Sien,  and  proves  a  set  of  results  concerning  its  limita¬ 
tions.  In  Section  4  we  turn  to  the  minimal  example  of  a 
star-free  algebra,  the  model  S,  and  prove  a  quantifier- 
elimination  result  for  this  model  that  contrasts  with 
the  negative  result  proved  for  Sien-  Section  5  extends 
the  results  of  the  previous  section  to  a  more  complex 
example  of  a  star-free  algebra,  the  model  Sieft.  Sec¬ 
tion  6  gives  a  restriction  of  Sien  that  admits  a  regular 
algebra,  and  proves  a  quantifier  elimination  result  for 
this  model.  The  section  also  connects  this  model  to 
the  minimal  model  S.  Section  7  gives  an  additional  ex¬ 
ample  of  a  regular  algebra,  which  contains  each  of  the 
previous  examples.  Section  8  gives  conclusions.  All 
proofs  are  in  the  full  version  [6] . 

2  Notations 

Throughout  the  paper,  S  denotes  a  finite  alphabet, 
and  S*  the  set  of  all  finite  strings  over  E.  We  consider 
a  number  of  operations  on  E*: 

•  X  ■  y  -  concatenation  of  two  strings  x  and  y. 

•  X  <  y  -  X  is  a  prefix  of  y. 

•  la{x),  a  e  T,,  is  X  ■  a  (adds  last  character). 

•  fa{x),  a  £  T,,  is  a  ■  X  (adds  /irst  character). 

•  I  a;  I  is  the  length  of  string  x. 

•  a;  n  y  is  the  longest  common  prefix  of  the  strings  x 
and  y. 


•  x  —  y  -  the  string  a:  such  that  y  •  z  =  a;,  if  it  exists, 
and  e  otherwise. 

Note  that  |a;|  does  not  return  a  string,  so  it  is  not 
an  operation  of  E*.  Instead,  we  often  consider  the 
predicate  el(a;,y)  which  is  true  iff  |a:|  =  |y|. 

We  shall  consider  several  structures  on  E*.  The  ba¬ 
sic  one  is  the  structure  S  =  (E*,  (/a)ags).  We  could 

equivalently  use  unary  predicates  La,  where  La{x)  is 
true  for  strings  of  the  form  x'  ■  a.  Note  that  in  the 
presence  of  A,  L  and  La  are  interdefinable,  and  we 
thus  shall  use  both  of  them. 

We  further  consider  a  number  of  extensions  of  S. 
In  one  of  them  characters  can  be  added  on  the  left 
as  well  as  on  the  right.  This  structure  is  denoted  by 

S)eft  =  (S*,  A,  (la)a€E,  (/a)agE)-  Another  extension, 
denoted  by  Sien,  adds  length  comparisons  via  the  el 
predicate  (note  that  using  and  el  one  can  express 
various  relationships  between  lengths  of  strings,  e.g. 
kl{=>  7^1  <i  >}\y\j  kl  =  ll/l  +  ^  for  a  constant  k,  etc.). 
To  summarize,  we  mainly  deal  with  the  following  struc¬ 
tures: 

•  S  =  (E*,  A,  (la)agE); 

•  Sieft  (E  ,  ^ ,  (lo)ogE  !  (/a)agE)i 

•  Sien  (S*)  (la)agE)  g1)- 

Once  we  consider  regular  algebras,  we  introduce  two 
more  structures;  however,  operations  in  them  will  be 
motivated  by  quantifier-elimination  results  for  S  and 
Sieft  and  thus  those  structures  will  be  defined  later. 

There  is  a  very  close  connection  between  Sien  and 
an  extension  of  Presburger  arithmetic.  Assume  that 
E  =  {0,1}.  Let  val(n),  for  n  G  N,  be  n  in  binary, 
considered  as  a  string  in  E*.  Let  V2{n)  be  the  largest 
power  of  2  that  divides  n.  Then  P  C  is  definable  in 
(N, -P,  1^2)  iff  {(val(ni ),...,  val(n)t))  |  {ni,...,nk)  G  P} 
is  definable  in  Sien  [8,  10]. 

Model  theory  background  Let  0  be  a  finite  or 
countably  infinite  first-order  signature,  and  M  a  model 
over  n.  By  FO(M)  we  denote  the  set  of  all  first-order 
formulae  in  the  language  of  Ll.  The  (complete)  theory 
of  M,  Th(M),  is  the  set  of  all  sentences  in  FO(M)  true 
in  M.  Two  models  M  and  M'  over  fl  are  elementary 
equivalent  if  Th(M)  =  Th(M'). 

We  say  that  M  admits  quantifier  elimination  ( QE)  if 
for  every  formula  ip{x)  in  FO(M)  there  is  a  quantifier- 
free  formula  <^'(af)  such  that  ip{x)  ^p'{x)  is  true 
in  M. 

For  a  tuple  a  and  a  model  M  over  Q,  we  let  tpM{a) 
be  the  type  of  a  in  M  (the  set  of  all  formulae  of  FO(M) 
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satisfied  by  a),  and  atpM{a)  be  the  atomic  type  in  M 
(the  set  of  all  quantifier-free  formulae  of  FO(M)  satis¬ 
fied  by  a).  If  is  a  subset  of  M,  tpMiafA)  is  the  type 
of  a  over  Am  M  (the  set  of  all  FO-formulae  over  H  U 
satisfied  by  a). 

A  ui-saturated  model  M  over  fl  is  a  model  such  that 
each  consistent  type  over  a  finite  set  A  in  FO(M)  is 
satisfied  in  M.  It  is  known  [11]  that  every  model  M 
over  Cl  has  an  elementary  equivalent  w-saturated  model 
M*. 

Isolation,  VC-dimension  Let  T  be  a  theory  over 
Cl  and  M  be  a  model  of  T.  A  subset  A  of  M  is  said 
to  be  pseudo-finite  if  {M,A)  [=  F{T,P),  where  P  is  a 
unary  predicate,  and  F{T,  P)  is  the  set  of  all  formulae 
of  FO(f2  U  P)  satisfied  by  all  finite  sets  of  elements  in 
any  model  of  T. 

If  p  is  a  type  over  A  in  M,  a  subset  q  of  p  isolates 
p  if  p  is  the  only  type  over  A  in  M  containing  q.  A 
complete  theory  T  over  Cl  is  said  to  have  the  strong 
isolation  property  if  for  any  model  M  of  T  and  any 
pseudo-finite  set  A  and  any  element  a  in  M,  there  is 
a  finite  subset  Aq  of  A  such  that  tpA[{o/Ao)  isolates 
Iphii^/A).  We  say  that  it  has  the  isolation  property  if 
a  countable  Aq  exists  as  above. 

Isolation  is  an  interesting  property  in  the  database 
context  because  it  implies  certain  collapse  results  for 
query  languages  [3,  17]  and  it  is  used  for  that  purpose 
in  [7].  Here  we  use  it  to  provide  bounds  on  the  VC- 
dimension  of  definable  families. 

For  a  family  C  of  subsets  of  a  set  U,  and  a  set  F  C  U, 
we  say  that  C  shatters  F  if  {F  fl  C  j  C  €  C}  is  the 
powerset  of  F.  The  VC-dimension  of  C  is  the  maxi¬ 
mum  cardinality  of  a  finite  set  shattered  by  C  (or  oo, 
if  arbitrarily  large  finite  sets  are  shattered  by  C).  This 
concept  is  fundamental  to  learning  theory,  as  finite  VC- 
dimension  of  a  hypothesis  space  is  eqtiivalent  to  learn- 
ability  (PAC-learnability)  [2,  4]. 

Now  consider  a  structure  M  =  {T,*,Cl),  and  a 
FO(Af)  formula  ip{x,y).  For  each  a,  let  ip{a,M)  =  j 
M  [=  ip{d,b)].  The  family  of  sets  (p{d,M),  where  a 
ranges  over  all  tuples  over  M ,  is  called  a  definable  fam¬ 
ily.  We  say  that  Af  has  finite  VC-dimension  if  every 
definable  family  has  finite  VC-dimension.  In  particu¬ 
lar,  this  implies  learnability  of  concepts  defined  in  FO 
over  Af . 

3  Regular  algebra  based  on  Sien 

As  mentioned  in  the  introduction,  Sie„  is  the  canoni¬ 
cal  automatic  structure,  and  relations  definable  in  S|e„ 


are  precisely  the  regular  relations,  that  is,  fc-ary  de¬ 
finable  relations  are  precisely  those  given  by  letter-to- 
letter  A:-automata  [9,  10].  In  particular,  this  gives  a 
normal  form  for  Sien-formulae.  We  introduce  a  new 
type  of  length-bounded  quantifiers  of  the  form  Bji;]  <  ]y  j 
and  V]rc]  <  [?/|.  A  formula  3|a:|  <  \y\(fi  is  meant  as 
an  abbreviation  for  3a;(|a:|  <  jT/j)  A  <p.  Since  every  fi¬ 
nite  automaton  can  be  simulated  by  a  length-bounded 
FO(Sien)  formula,  we  conclude  that  each  FO(Sien)  for¬ 
mula  is  equivalent  to  a  length-bounded  FO(Sien)  for¬ 
mula.  Note  that  this  result  can  also  be  shown  by  a 
straightforward  Ehrenfeucht-Frai'sse  game  argument. 

The  universal  property  of  S|en  mentioned  above  in¬ 
dicates  that  Sien  may  be  “too  rich”  in  relations  for 
many  applications.  We  present  evidence  for  this  by 
addressing  the  open  question  of  [12,  26]  whether  Sien 
has  quantifier  elimination  in  a  reasonable  signature. 
One  first  needs  to  define  what  “reasonable”  means  here. 
Clearly,  every  structure  has  quantifier  elimination  in  a 
sufficiently  large  expansion  of  the  signature:  add  sym¬ 
bols  for  all  definable  predicates,  for  example.  One  can 
thus  take  reasonable  to  mean  a  finite  expansion,  but 
this  is  not  satisfactory:  for  example,  Presburger  arith¬ 
metic  has  quantifier  elimination  in  an  infinite  signature 
(-I-,  <,0, 1,  (mod  A:)n.>i).  Note  however  that  in  this  ex¬ 
ample,  the  maximum  arity  of  the  predicates  and  func¬ 
tions  is  2.  In  fact,  it  appears  to  be  a  common  phe¬ 
nomenon  that  when  one  proves  quantifier  elimination 
in  an  infinite  signature,  there  is  an  upper  bound  on  the 
arity  of  functions  and  predicates  in  it. 

We  thus  view  this  condition  as  necessary  for  a  signa¬ 
ture  to  be  “reasonable”.  In  general,  a  reasonable  signa¬ 
ture  might  contain  relation  symbols  as  well  as  function 
symbols.  Nevertheless,  we  can  rule  out  the  possibility 
of  a  reasonable,  purely  relational  signature  for  which 
S|en  has  quantifier  elimination.  This  is  in  contrast  to 
the  weaker  strvictures  that  we  consider,  all  of  which 
have  ejuantifier  elimination  in  a  relational  signature  of 
bounded  arity.  Let  be  the  expansion  of  Si„„ 

with  all  definable  predicates  of  arity  at  most  n,  and 
definable  functions  of  arity  m.  We  show  the  following: 

Theorem  1  (a)  For  any  n  >  0,  and  m  =  0, 1, 

does  not  have  QE.  In  particular,  there  is  a  property 
definable  in  Sie,,  which  is  not  a  Boolean  combina¬ 
tion  of  at  most  n-ary  definable  predicates  in  Sic,,. 

(b)  the  expansion  o/ Sien  with  all  unary  predi¬ 

cates  and  binary  functions,  has  QE. 

Proof  sketch.  For  (a),  the  property  is  whether  for  an 
V-tuple  of  strings,  for  sufficiently  large  TV,  there  is  a 
position  i  such  that  the  Tth  symbol  of  all  TV  strings  is 
0.  For  (b),  we  show  a  stronger  result,  assuming  that  E 
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contains  {0, 1}.  We  prove  QE  in  a  signature  that  con¬ 
tains  the  bitwise  and,  or,  and  not  functions,  left  and 
right  shifts,  and  the  following  two  families  of  functions. 
Fil(r(u;)  has  a  1  at  position  i  iff  w[i\  =  a  and  a  0  other¬ 
wise,  and  P&tj^kiw)  has  the  same  length  as  w  and  has 
a  1  at  position  i  iff  i  mod  k  =  j  and  a  0  otherwise, 
where  j  <  k. 

In  cases  of  both  (a)  and  (b) ,  the  proofs  are  based  on 
automata  representations  of  definable  sets,  cf.  [9].  □ 

Our  next  result  shows  another  model-theoretic  and 
computational  shortcoming  of  Sien:  namely,  a  single 
formula  y)  can  define  a  widely  varying  collection  of 
relations  as  we  let  the  parameter  x  vary.  We  formalize 
this  through  the  notion  of  VC-dimension. 

Proposition  1  There  are  definable  families  in  Sien 
that  have  infinite  VC-dimension.  □ 

4  Star-free  algebra  based  on  S 

We  now  turn  to  the  most  obvious  analog  of  Sien 
for  the  star-free  sets.  This  is  the  model  S,  which  is 
the  most  basic  model  among  those  studied  in  the  pa¬ 
per.  We  show  that  it  has  remarkably  nice  behavior; 
it  admits  effective  QE  in  a  rather  small  extension  to 
the  signature.  This  immediately  tells  us  that  definable 
subsets  of  S*  are  precisely  the  star-free  languages.  We 
then  characterize  the  n-dimensional  definable  relations 
in  S  by  their  closure  properties,  and  by  an  automaton 
model. 

Note  that  S  is  very  close  to  strings  considered  as 
term  algebras,  that  is,  to  (S,e,  {la)a€'s:)-  It  is  of  course 
well-known  that  the  theory  of  arbitrary  term  algebras 
is  decidable  and  admits  QE  [24].  However,  adding  the 
prefix  relation  is  not  necessarily  a  trivial  addition;  for 
arbitrary  term  algebras  with  prefix  (subterm),  only  the 
existential  theory  is  decidable,  but  the  full  theory  is  un- 
decidable  [30]  (similar  results  hold  for  other  orderings 
on  terms  [13]).  The  undecidability  result  of  [30]  re¬ 
quires  at  least  one  binary  term  constructor;  our  results 
indicate  that  in  the  simpler  case  of  strings  one  recovers 
QE  with  the  prefix  relation. 

We  start  with  a  result  that  gives  a  normal  form  for 
formulae  of  FO(S).  Given  a  set  5  of  strings  ,  we  let 
Tree(5')  be  the  tree  (i.e.  the  partially-ordered  struc¬ 
ture)  generated  by  closing  5  U  {e}  under  n.  In  other 
words,  Tree(5)  is  the  poset  {{xr\y  \x,y  £  5u{e}},  -<). 
(Note  that  for  any  set  of  strings  si,...,Sk,  there  are 
two  indices  i,j  <  k  such  that  Si  D  . . .  n  sj,  =  fl  Sj.) 

A  complete  tree-order  description  of  a  vector  w  of 
variables  is  the  atomic  diagram  of  Tree(w)  in  the  lan¬ 
guage  of  In  other  words,  it  is  a  specification 


of  all  the  A  relations  that  hold  and  do  not  hold  in 
Tree(«;). 

For  each  L  C  E*,  let  Pl  be  the  set  of  pairs  {x,y)  of 
strings  such  that  x  :<  y  and  y  -  x  e  L.  The  following 
lemma  is  obvious,  since  it  is  well-known  that  star-free 
sets  are  first-order  definable  on  string  models  [25]. 

Lemma  1  For  each  star  free  language  L,  there  is  a 
formula  Lpi{x,y)  in  FO(S)  which  defines  Pl-  □ 

We  now  give  a  normal  form  result  for  FO(S). 

Proposition  2  Every  formula  in  FO(S)  can 

be  effectively  transformed  into  an  equivalent  formula 
which  is  a  disjunction  of  formulae  of  the  form 

y(x)  A  d(x) 

where  j{x)  is  a  complete  tree-order  description  over 
X  and  S(x)  is  a  conjunction  of  formulae  of  the  form 
<PL{t{x),t'{x)),  where  L  is  star-free,  t{x)  and  t'(x)  are 
either  e  or  a  term  of  the  form  Xi^Xj,  and  7(1)  implies 
that  t{x)  is  an  immediate  successor  oft'{x)  in  the  tree- 
order. 

Proof  is  by  induction  on  the  structure  of  V’-  □ 

Let  S"'"  be  the  expansion  of  S  to  the  signature  that 
contains  e,  n  and  a  binary  predicate  Pi  for  each  star- 
free  language  L.  Note  that  S'*"  is  a  definable  expansion 
of  S,  as  all  additional  functions  and  predicates  are  de¬ 
finable.  From  the  normal  form  we  now  immediately 
obtain: 

Theorem  2  S+  admits  quantifier  elimination. 

Remark.  As  mentioned  above  there  is  no  need 
to  nest  the  fl-operator.  Therefore,  S+  can  be 
turned  into  a  relational  signature  that  admits  quan¬ 
tifier  elimination  as  follows.  For  each  star-free  L  let 
P'l^  be  the  set  of  tuples  (si, S2, S3, S4)  of  strings  for 
which  Pz,(n(si ,  S2),  n(s3,  S4)).  Note,  that  n(si,S2)  :< 
n(s3,S4)  can  be  expressed  as  Pi:*  (n(si,  S2),  n(s3, 54)). 
It  is  straightforward  to  check  that  this  signature  admits 
quantifier  elimination.  In  the  same  way,  the  quantifier 
elimination  results  in  the  remainder  of  the  paper  can  be 
turned  into  quantifier  elimination  results  in  a  relational 
signature. 

Note  also  that  S"*"  could  be  considered  as  an  expan¬ 
sion  of  S  with  either  functions  G  or  predicates  La  in 
the  signature.  In  the  latter  case,  predicates  La  are  not 
needed  as  Laix)  iff  Pi*a(e,a:)- 

Another  corollary  of  the  normal  form  is  that  in  the 
language  of  S,  it  suffices  to  use  only  bounded  quan¬ 
tification.  That  is,  we  introduce  bounded  quantifiers  of 
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the  form  3x  <y  and  'ix  <y  (where  3x  <  y  ip  means 
3x  X  :<  y  A  ip),  and  let  F06(S)  be  the  restriction  of 
FO(S)  to  formulae  p{yi,  ■  ■  ■  ,yk)  hi  which  all  quanti¬ 
fiers  are  of  the  form  Qx  :<  yi.  From  the  normal  form 
and  the  fact  that  each  pi,  can  be  defined  with  bounded 
quantifiers,  we  obtain; 

Corollary  1  FOb{S)  =  FO(S).  □ 

Finally,  we  characterize  S-definable  subsets  of  S* 
and  (E*)*'.  Given  a  subset  R  C  (E*)*'  and  a  per¬ 
mutation  TT  on  by  7r(/?)  we  mean  the  set 

{  (*V(1) !  ■  •  •  I  ®7r((o)  I  ■  ■  ■  1  -^k)  €  -R}  • 

Corollary  2 

a)  A  language  L  C  E*  is  definable  in  S  iff  it  is  star- 
free. 

b)  The  class  of  relations  definable  over  FO(S)  is  the 
minimal  class  containing  the  empty  set,  {c},  {o} 
o  €  E,  n,  and  closed  under  Boolean  operations, 
Cartesian  product,  permutation,  and  the  operation 

defined  by  Li  *  =  {(-si,  Si  •  .s-.>)  |  .sq  G  L\,S2  € 

L2]  forLuL-i  C  E*. 

Proof  a)  S+  formulae  in  one  free  variable  are  Boolean 
combinations  of  P[Xe,x),  for  L  star-free,  and  thus  they 
define  only  star-free  languages. 

b)  For  one  direction  notice  that  e,  {o},  -<,  n  are 
definable  in  FO(S),  and  that  FO(S)  is  clos('d  under 
boolean  operations,  iiermutation  and  Cartesian  prod¬ 
uct.  The  closure  under  is  an  easy  consequence  of 
Lemma  1  as  Li  *L-2  corresponds  to  {(.r,?/)  | 
pL^ixty)}-  The  other  direction  follows  from  the  nor¬ 
mal  form.  □ 

Note  that  the  projection  operation  is  not  needed  in 
the  closure  result  above. 

Automaton  We  now  give  an  automaton  model  char¬ 
acterizing  definability  in  FO{S).  This  automaton 
model  corresponds  exactly  to  the  counter-free  variant 
of  regular  prefix  automaton  as  defined  in  [1]. 

Let  us  recall  the  definition  of  regidar  prefix  automa¬ 
ton.  Let  A  be  a  finite  non-deterministic  automaton  on 
strings  with  state  set  Q,  transition  relation  5  and  ini¬ 
tial  state  qo-  We  construct  from  A  an  automaton  A  = 
{T,,Q,qo,  F,5)  accepting  71-tuple.s  le  =  {wi,  -  ■  ■  ,w„)  of 
strings  in  the  following  way.  F  is  a  subset  of  Q”  which 
denotes  the  accepting  states  of  A.  Let  prefix{iu)  be  the 
set  of  all  prefixes  of  all  u),.  A  run  of  A  over  iv  is  a 
mapping  h  from  prefix  {ilJ)  to  Q  which  assigns  to  every 


node  a  G  prefix (iv)  a  state  q  £  Q  such  that  h{e)  —  qo 
and,  /?  =  /«(«)  implies  /«(/?)  G  S{h{a),a).  The  run  is 
accepting  if  {h{wi),  ■  ■  ■ ,  h{wn))  G  F.  The  7i-tu])le  tu  is 
accepted  by  A  if  there  is  an  accepting  run  of  A  over  vu. 
See  [1]  for  more  details. 

For  each  finite  non-deterministic  automaton  A  the 
corresponding  automaton  A  is  called  regular  prefix  au¬ 
tomaton  (RPA).  The  subset  of  (E*)",  n  G  N,  it  defines 
is  called  a  regular  prefix  relation  (RPR). 

If  the  automaton  A  is  counter-free  then  we  say  that 
the  corresponding  automaton  A  is  counter-free  (CF- 
PA).  The  following  shows  that  the  relations  definable 
in  FO(S)  are  exactly  those  recognizable  by  a  CF-PA. 

Proposition  3  A  relation  is  definable  m  FO(S)  if  and 
only  if  it  is  definable  by  a  counter-free  prefix  automa¬ 
ton.  □ 

It  should  be  noted  that  FO(S)  can  also  be  character¬ 
ized  by  means  of  counter-free  deterministic  bottom-up 
automata. 

VC-dimension  and  Isolation  In  addition  to  quan¬ 
tifier  elimination,  S  has  some  furthc'r  model-theoretic 
prop(Tti(\s  that  distinguish  it  from  S|,,„. 

Proposition  4  Th(S)  has  the  strong  isolation  prop¬ 
erty.  □ 

As  a  corollary  of  the  isolation  property,  w('  prove 
that,  unlike  for  S],,,,-  th(‘  definabh'  families  for  S  are 
learnabh'.  First,  we  need  the  h)llowing. 

Proposition  5  Let  M  be  a  model  vrith  the  isolation 
property.  Then  its  definable  families  have  finite  VC- 
dimension. 

We  give  two  proofs  of  this  result  in  the  full  version;  one 
is  a  complexity-theoretic  argument,  tlu'  other  model- 
theoretic.  □ 

It  follows  that  the  inoch'l  S,  unlike  S|,.„,  has  learnabh' 
definable  families. 

Corollary  3  Every  definable  family  in  S  has  finite 
VC-dimension.  □ 

5  Star-free  algebra  based  on  Si,, a 

We  now  study  an  example  of  a  star-free  algebra, 
one  whore  the  77-ary  relations  in  the  algebra  are  more 
complex  than  those  definable'  over  S.  Recall  that 
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Sieft  =  (S*,  (/a)o6S.  (/a)a6s);  that  is,  in  tMs  struc¬ 

ture  one  can  add  characters  on  the  left  as  well  as  on 
the  right. 

Without  the  prefix  relation,  this  structure  was  stud¬ 
ied  in  [27],  where  a  quantifier-elimination  result  was 
proved,  by  extending  quantifier-elimination  for  term 
algebras  (in  fact  [27]  showed  that  term  algebras  with 
queues  admit  QE).  However,  as  in  the  case  of  S,  which 
differs  from  strings  as  terms  algebras  in  that  it  has  the 
prefix  relation,  here,  too,  the  prefix  relation  compli¬ 
cates  things  considerably. 

We  start  with  an  easy  observation  that  FO(Sieft)  ex¬ 
presses  more  relations  that  FO(S).  Indeed,  the  graph 
of  fa,  Fa  =  {{x,a  ■  x)  \  X  €  S*}  is  not  expressible  in 
FO(S),  which  can  be  shown  by  a  simple  game  argu¬ 
ment.  More  precisely,  given  a  number  k  of  rounds,  let 
n  =  2* -hi  and  consider  the  game  on  the  tuples  (0”,  10") 
and  10").  By  Corollary  1  it  is  sufficient  to  play 

on  the  prefixes  of  the  participating  strings.  The  dupli¬ 
cator  has  a  trivial  winning  strategy  on  the  strings  10" 
and  a  well-known  winning  strategy  on  0"  versus  0"'^*. 

Let  be  the  extension  of  Sieft  with  the  same  (de¬ 
finable)  functions  and  predicates  we  added  to  S+  (that 
is,  a  constant  e  for  the  empty  string,  the  binary  function 
n  for  the  longest  common  prefix,  the  predicate  Pl{x,  y) 
for  each  star-free  language  L),  and  the  unary  function 
a;  X  —  a,  for  each  a  €  E  (which  is  also  definable). 

Theorem  3  admits  quantifier  elimination. 

Proof  sketch.  Let  ns+  and  nc+  be  the  first-order 

^left 

signatures  of  S+  and  Let  M  be  an  ca-saturated 
model  over  elementary  equivalent  to  It  suf¬ 
fices  to  prove  quantifier  elimination  in  M.  Note  that 
M  can  have  both  finite  and  infinite  strings.  To  prove 
QE,  we  must  show  that  every  two  tuples  of  elements 
of  M  that  have  the  same  atomic  type,  have  the  same 
type.  Define  a  nice  term  of  !]«+  as  a  term  of  the  form 

^left 

t{x)  =  x-a  +  b,  where  a  and  b  are  finite  strings.  Given 
two  tuples  c  and  d  of  the  same  length  over  M,  define 
two  relations  on  them; 

•  c  =  d  iff  for  all  sequences  ii,. . ik  from  {!,...,«} 
(where  n  is  the  length  of  c)  and  all  sequences 
ti,. . .  ,tk  of  nice  terms: 

atps+iti{ci,),...,tk{ci,)) 

=  atps+ (<i(dii ),...,  4  (dfj) 

•  (c',c)  =1  {d',d)  iff  for  all  sequences  ii,...,ik 
from  {1, . . . ,  n}  and  all  sequences  ti , . . . ,  t*.  of  nice 
terms: 

atps+ic' ,ti{ci,), . . .  ,tk{ci^)) 

=  atps+{d',ti{di,),...,tk{di^)) 


Of  course,  (c',c)  =  (d',d)  implies  (c',c)  =i  {d',d), 
as  the  identity  is  a  nice  term.  We  then  prove  the  main 
lemma,  which  shows  that  these  two  relations  coincide; 
that  is,  if  (c',c)  =i  (d',d),  then  also  (c',c)  =  {d',d). 

Using  this,  we  show  that  =  has  the  back-and-forth 
property  in  M  (which  is  actually  stronger  than  what 
is  needed  for  quantifier-elimination).  The  theorem 
follows  from  the  lemma,  as  each  type  of  the  form 
a<ps+(fi(cii),  ■  •  • , 4(04))  is  also  an  atomic  type  of 
Hence,  the  atomic  types  determine  the  types. 
For  details,  see  the  full  version  [6].  □ 

From  the  previous  theorem  we  get  the  following 
corollaries.  First,  the  back-and-forth  property  of  =1 
gives  us  the  following  normal  form  for  FO(S[^fJ  for¬ 
mulae. 

Corollary  4  For  every  FO{S]eh)  formula  p{x,y)  there 
is  an  FO(S)  formula  p'{x,z)  and  a  finite  set  of  nice 
®ieft  t  such  that 

Vxy  p{x,y)  p'{x,t{y)) 

holds  in  Sieft.  □ 

Then  Corollary  4  for  the  empty  tuple  y  and  Corol¬ 
lary  2  imply; 

Corollary  5  Subsets  of  T,*  definable  over  S\e{t  are  pre¬ 
cisely  the  star-free  languages.  □ 

For  formulae  in  the  language  of  Sieft  (as  opposed 
to  Sj^fJ,  we  can  show  that  bounded  quantification 
suffices,  although  the  notion  of  bounded  quantifica¬ 
tion  is  slightly  different  here  from  that  used  in  the 
previous  section.  Let  Np{s)  be  the  prefix-closure  of 
{s  —  Si  -I-  S2  1  jaij,  |s2|  <  p}.  Clearly  Np{s)  is  definable 
from  s  over  Sjeft.  We  then  define  FO, (Sieft)  as  the  class 
of  FO(Sieft)  formulae  ip{x)  in  which  all  quantification 
is  of  the  form  3z  e  Np{xi)  and  Vz  6  Np{xi),  where  Xj 
is  a  free  variable  of  p  and  p  >  0  arbitrary. 

Corollary  6  FO* (Sieft)  =  FO (Sieft).  □ 

Isolation  and  VC-dimension  We  now  show  that 
the  results  about  isolation  and  VC-dimension  extend 
from  S  to  Sieft. 

Proposition  6  Th(Sieft)  has  the  isolation  property.  □ 

Since  the  argument  for  corollary  3  actually  shows 
that  isolation  implies  finite  VC-dimension,  we  con¬ 
clude: 
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Corollary  7  Every  definable  family  in  Sieft  has  finite 
VC-dimension.  □ 


6  Regular  algebra  extending  S 

The  previous  sections  presented  star-free  algebras 
with  attractive  properties.  We  now  give  an  example  of 
a  regular  algebra  that  has  significantly  less  expressive 
power  than  the  rich  structure  Sien,  and  which  shares 
some  of  the  nicer  properties  of  the  star-free  algebras  in 
the  previous  sections. 

This  algebra  can  be  obtained  by  considering  two  pos¬ 
sible  ways  of  extending  FO(S);  the  first  is  by  adding 
the  predicates  P/,  for  all  regular  languages  P;  that  is, 
predicates  Pi{x,y)  which  hold  for  x  :<  y  such  that 
y  —  X  E  L,  where  P  is  a  regular  language.  The  sec¬ 
ond  extension  is  by  using  monadic-second  order  logic 
instead  of  only  first-order  logic.  It  turns  out  that  these 
extensions  define  exactly  the  same  algebra.  We  show 
this,  and  also  show  that  the  resulting  regular  algebra 
shares  the  QE  and  VC-dimension  properties  of  the  star- 
free  algebras  defined  previously. 

Let  S|.0g  (E  ,  3^,  (^a)aGSi  regular^'  ^hice  it 
defines  arbitrary  regular  languages  in  E*,  it  is  a  proper 
extension  of  S.  Every  FO(Sreg)-definable  set  is  defin¬ 
able  over  Sie„,  because  the  predicates  Pl  are  definable 
in  S|e,i  (the  easiest  way  to  see  this  is  by  using  the  char¬ 
acterization  of  Si0„  definable  properties  via  letter-to- 
letter  automata).  Thus,  we  have: 

Proposition  7  Subsets  of  E’  definable  over  Sreg  arc 
precisely  the  regular  languages.  □ 

Let  S+j,  be  the  extension  of  S,.og  with  e  and  n.  Most 
of  the  results  about  S  and  S+  from  Section  4  can  be 
straightforwardly  lifted  to  Sreg  and  S  +  g.  For  example, 
the  normal  form  Proposition  2  holds  for  Sreg  if  one 
replaces  “star-free”  with  “regular”:  the  proof  given  in 
Section  4  applies  verbatim.  From  this  normal  form  we 
immediately  obtain: 

Theorem  4  S+g  adm,its  quantifier  elimination.  □ 

The  normal  form  result  also  shows  that  neither  the 
functions  /„  nor  the  predicate  el  are  definable  in  Sreg 
(the  former  can  also  be  seen  from  the  fact  that  Sreg  has 
QE  in  a  signature  of  bounded  arity,  and  Sie„  does  not; 
for  inexprcssibility  of  /„  it  suffices  to  apply  the  normal 
form  results  to  pairs  of  strings  of  the  form  (1  •  0*',  0*')). 
One  can  also  show,  as  in  the  case  of  S,  that  bounded 
quantification  over  prefixes  is  sufficient. 

Our  next  aim  is  to  show  that  FO(Sreg)  gives  us  ex¬ 
actly  the  same  algebra  of  definable  sets  as  MSO(S). 

Notice  first  that  each  relation  definable  in  FO(Sreg) 
is  already  definable  in  MSO(S)  because  each  predicate 


Pi  is  definable  in  MSO.  We  will  show  in  the  following 
that  the  converse  implication  also  holds. 

The  proof  relies  on  a  lemma  which  essentially  shows 
that  the  monadic  second-order  type  of  a  tuple  of  strings 
only  depends  on  its  tree-order  type  and  the  monadic 
second-order  types  of  the  paths  between  the  strings  and 
their  common  prefixes. 

For  a  sequence  a  =  (ai , . . . ,  a„)  of  strings,  let  Tg  be 
the  structure 

For  each  string  w  G  E*,  let  be  the  finite  structure 
(i?Q)ag5:,  1,  |u)|)  where  1^,  is  {!,...,  |w|},  <  is 
the  usual  order  and,  for  each  a  G  E,  is  the  set  of  all 
positions  of  w  that  carry  the  letter  a.  For  two  strings 
G  E*,  we  write  u  =l  v  1^  =MSOfc  Pv 

Lemma  2  For  each  k  >  0,  there  is  k'  >  0  such 
that  the  following  holds.  Let  a  =  (oi, . . .  ,a„),6  = 
(bi, . . .  ,b„)  be  sequences  of  strings  for  which  there  is 
a  tree  isomorphism  h  :  Tree{a)  — >  Treeifi)  such  that 

(i)  for  each,  i  6  {1, . . .  ,n},  h{ai)  =  bi,  and 

(ii)  whenever  u  is  the  immediate  predecessor  of  v  in 
Treefd)  then  v  —  u=l  hf^i)  —  h(u). 

Then  Tg  =MsOt  Tj.  □ 

As  both  conditions  (i)  and  (ii)  of  the  Lemma  arc 
expressible  in  FO(Sreg),  we  obtain: 

Theorem  5  FO(S,eg)  =  MSO(S).  □ 

The  bounded  monadic  second-order  quantifier  3X  fi. 
y  is  defined  as  follows.  A  formula  BA'  <  y  holds 
if  and  only  if  3A'(VxA'(x)  x  <  y)  f\  p  holds.  We 
define  MS06(S)  by  binding  all  first-order  and  monadic 
second-order  quantifiers. 

From  Theorem  5  we  can  easily  derive  the  following 
corollaries. 

Corollary  8 

•  MS06(S)  =  MSO(S) 

•  Subsets  ofE*  definable  in  MSO(S)  are  exactly  the 
regular  languages. 

Automata  model,  isolation,  and  VC  dimension 

It  was  proved  in  [1]  that  Regular  Prefix  Relations 
(RPR)  (those  definable  by  Regular  Prefix  Automata 
(RPA),  introduced  in  Section  4)  are  exactly  those  de¬ 
finable  in  MSO(S).  Thus  Theorem  5  together  with  the 
results  of  [1]  gives  a  new  characterization  of  FO(S,.eg). 
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Figure  1.  Relationships  between  S,  S)eft,  Srcg,  Sreg.ieft,  and  Sien- 


Corollary  9  The  relations  definable  in  FO(Sreg)  are 
exactly  the  RPR  relations.  Thus  each  relation  definable 
in  FO(Sreg)  is  recognizable  by  a  RPA.  □ 

The  proof  of  the  isolation  property  for  S  (Proposi¬ 
tion  4)  is  unaffected  by  the  change  from  star-free  Pi 
to  regular  Pi.  Thus,  we  obtain: 

Corollary  10  Th(Sreg)  has  the  isolation  property, 
and  definable  families  of  Sj-eg  have  finite  VC- 
dimension.  □ 

7  Regular  algebra  extending  Siea 

We  now  give  a  final  example  of  a  regular  algebra. 
Let  Sreg.ieft  be  the  common  expansion  of  Siea  and  Sreg, 
that  is,  (T  )  )aex:  j  (/a ) aGS  5  (Pf. ) £,  •  Since 

Sreg  cannot  express  the  functions  fa,  and  Sieft  cannot 
define  arbitrary  regular  sets,  we  see  that  Sreg.ieft  is  a 
proper  expansion  of  Sreg  and  Sieft.  Furthermore,  all 
Sreg. left-definable  sets  are  Sien-definable;  the  finiteness 
of  VC  dimension  for  Sreg.ieft)  shown  below,  implies  that 
this  containment  is  proper,  too. 

Let  S,!gg  be  the  common  expansion  of  Sj^j,  and 
Sreg,  that  is,  the  expansion  of  Sreg.ieft  with  e  and  n. 
The  techniques  of  the  previous  sections  can  be  used  to 
show  the  following: 

Theorem  6  S+g  has  quantifier-elimination.  Fur¬ 
thermore,  Th(Sreg.ieft)  has  the  isolation  property,  and 
definable  families  in  Sreg.ieft  have  finite  VC-dimension. 
□ 

Similarly  to  Sieft,  we  derive  from  the  proof  of  Theo¬ 
rem  6  the  following  normal  form  for  Sreg.ieft  formulae: 

Corollary  11  For  every  FO(Sreg.ieft)  formula  p{x,y) 
there  is  an  FO(Sreg)  formula  p'{x,z)  and  a  finite  set 


of  nice  S[^(.j  terms  t  such  that 

Vxy  p{x,y)  p'{x,t{y)) 

holds  in  Sreg.ieft-  D 

We  conclude  this  section  with  a  remark  show¬ 
ing  that  arithmetic  properties  definable  in  structures 
S,  Sieft,  Sreg,  Sreg.ieft  are  weaker  than  those  definable  in 
Sien-  As  we  mentioned  earlier,  under  the  binary  encod¬ 
ing,  Sien  gives  us  an  extension  of  Presburger  arithmetic; 
namely,  it  defines  -I-  and  V2,  where  V2{x)  is  the  largest 
power  of  2  that  divides  x.  But  even  Sreg.ieft  is  much 
weaker: 

Proposition  8  Neither  successor,  nor  order,  nor 
addition,  are  definable  in  Sreg.ieft  (a.nd  hence  in 
S,  Sreg ,  Sieft Cl 

8  Conclusion 

There  has  been  significant  interest  in  theoretical 
computer  science  in  understanding  the  structure  of  the 
regular  languages,  and  in  identifying  subclasses  of  the 
regular  languages  that  have  special  properties  [29,  28]. 
Our  work  can  be  seen  as  an  extension  of  this  program, 
where  we  consider  subclasses  of  the  regular  n-ary  re¬ 
lations  rather  than  the  regular  sets.  In  our  approach, 
however,  we  do  not  focus  on  properties  that  hold  of  one 
particular  regular  relation  by  itself,  but  rather  look  at 
some  desirable  properties  of  a  whole  algebra  of  relations 
lying  within  the  structure  Sien- 

We  have  shown  a  sharp  contrast  between  the  behav¬ 
ior  of  the  full  algebra  of  regular  relations  of  Sien,  and 
those  of  various  submodels  such  as  S,  Sieft,  Sreg,  and 
Sreg.ieft-  We  show  that  the  latter  are  more  tractable  in 
many  respects.  Furthermore,  we  show  that  the  behav¬ 
ior  of  an  algebra  of  relations  is  not  at  all  determined  by 
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the  one-dimensional  sets  (subsets  of  S*)  in  the  algebra; 
for  example,  one  can  have  fairly  complex  binary  rela¬ 
tions  definable,  yet  still  maintain  the  property  that  all 
definable  subsets  of  E*  are  star-free.  Figure  1  summa¬ 
rizes  the  relationships  between  the  star-free  and  regular 
algebras  we  considered  here. 

A  key  question  is  how  many  relations  one  can  add 
to  the  models  Sieft  or  Sreg  and  still  have  the  attrac¬ 
tive  properties  like  QE  and  finite  VC-dimension.  Is 
there  a  model  that  is  somehow  maximal  with  respect 
to  these  properties?  We  would  very  much  like  to  know 
the  answer  to  this  question.  There  are  also  several  nat¬ 
ural  candidate  models  that  would  seem  amenable  to  the 
approach  taken  here,  and  where  one  would  expect  the 
same  results  to  go  through;  for  example,  if  one  allows 
the  operation  concatenating  a  fixed  sequence  “in  the 
middle”  of  a  string,  rather  than  on  the  left  or  on  the 
right,  is  the  resulting  model  still  tractable? 
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